MikroTik - Passpoint Configuration

Configure Passpoint (Hotspot 2.0) on MikroTik RouterOS devices to enable automatic WiFi authentication through IronWifi's cloud RADIUS service. This provides seamless WPA2/WPA3-Enterprise connections without manual network selection or splash pages.

Prerequisites

In MikroTik:

MikroTik device with wireless capability supporting 802.11u
RouterOS 6.47.10+ or 6.48.3+ (for GUI support)
RouterOS 7.x recommended for latest features

In IronWifi Console (complete these first):

Sign in to the IronWifi Management Console
Go to Networks and select your network
Enable Passpoint from the dropdown
Note the following values:
- RADIUS server IP
- RADIUS port
- RADIUS secret
- Realm (e.g.,
```
ironwifi.com
```
  )

RouterOS Version Requirements

Feature	Minimum Version
802.11u basic	RouterOS 6.0+
Interworking GUI	RouterOS 6.47.10+
Full Passpoint	RouterOS 7.x

RADIUS Configuration

Configure the RADIUS server in RouterOS:

/radius
add address=<RADIUS_IP> authentication-port={AUTH_PORT} accounting-port={ACCT_PORT} \
    secret=<RADIUS_SECRET> service=wireless

Replace:

```
<RADIUS_IP>
```
- IronWifi RADIUS server address
```
<RADIUS_SECRET>
```
- Your RADIUS shared secret

Wireless Security Profile

Create a security profile for WPA2-Enterprise:

/interface wireless security-profiles
add name=passpoint-profile authentication-types=wpa2-eap \
    mode=dynamic-keys eap-methods=passthrough \
    tls-mode=no-certificates

802.11u / Interworking Configuration

RouterOS 7.x (CLI)

/interface wireless interworking-profiles
add name=passpoint-profile \
    access-network-type=free-public-network \
    internet=yes \
    asra=no \
    esr=no \
    uesa=no \
    venue-group=business \
    venue-type=unspecified-business \
    hessid=auto \
    network-auth-type=acceptance-of-terms-and-conditions \
    ipv4-availability=public \
    ipv6-availability=not-available

Hotspot 2.0 (HS2.0) Settings

/interface wireless hotspot20-profiles
add name=hs20-profile \
    domain-names=ironwifi.net \
    operator-names="IronWifi:eng" \
    wan-metrics="symmetric,1,50000,50000,0,0" \
    connection-capabilities="1:0:6,17:5060:0,50:0:0"

NAI Realm Configuration

Configure the NAI Realm for authentication:

/interface wireless nai-realms
add profile=passpoint-profile \
    realm=ironwifi.com \
    eap-methods="eap-ttls:non-eap-pap,non-eap-mschapv2;eap-tls:"

Roaming Consortium (OIs)

Add Roaming Consortium Organization Identifiers for OpenRoaming:

/interface wireless roaming-ois
add profile=passpoint-profile oi=5A03BA0000
add profile=passpoint-profile oi=004096

For OpenRoaming, add these OIs:

```
5A03BA0000
```
- WBA OpenRoaming
```
004096
```
- Cisco OpenRoaming
Standard IronWifi OI as provided in console

Apply to Wireless Interface

Apply the configuration to your wireless interface:

/interface wireless
set wlan1 security-profile=passpoint-profile \
    interworking-profile=passpoint-profile \
    ssid="IronWifi-Passpoint"

Complete Configuration Example

# RADIUS Server
/radius
add address=us-east1.ironwifi.com authentication-port={AUTH_PORT} \
    accounting-port={ACCT_PORT} secret=your-secret service=wireless

# Security Profile
/interface wireless security-profiles
add name=passpoint-profile authentication-types=wpa2-eap \
    mode=dynamic-keys eap-methods=passthrough

# Interworking Profile
/interface wireless interworking-profiles
add name=passpoint-profile access-network-type=free-public-network \
    internet=yes venue-group=business venue-type=unspecified-business

# HS2.0 Profile
/interface wireless hotspot20-profiles
add name=hs20-profile domain-names=ironwifi.net

# NAI Realm
/interface wireless nai-realms
add profile=passpoint-profile realm=ironwifi.com \
    eap-methods="eap-ttls:non-eap-pap;eap-tls:"

# Roaming OIs
/interface wireless roaming-ois
add profile=passpoint-profile oi=5A03BA0000

# Apply to interface
/interface wireless
set wlan1 mode=ap-bridge ssid="Passpoint-Network" \
    security-profile=passpoint-profile \
    interworking-profile=passpoint-profile

GUI Configuration (WinBox)

For RouterOS versions with GUI support:

Open WinBox and connect to your router
Go to Wireless > Security Profiles
Create new profile with WPA2-EAP settings
Go to Wireless > Interworking Profiles
Create new interworking profile
Configure 802.11u settings
Apply profiles to your wireless interface

Verification

Check the configuration:

# View interworking profile
/interface wireless interworking-profiles print

# View wireless interface status
/interface wireless print detail

# Check connected clients
/interface wireless registration-table print

# View RADIUS statistics
/radius print stats

Troubleshooting

Clients Don't Discover Network

Verify 802.11u is enabled
Check interworking profile is applied
Ensure SSID is broadcasting
Verify client supports Passpoint

Authentication Fails

Check RADIUS server connectivity
Verify shared secret matches
Review IronWifi authentication logs
Ensure NAI realm is correct

Roaming Not Working

Verify roaming consortium OIs
Check domain names match
Ensure consistent configuration across APs

Prerequisites​

In MikroTik:​

In IronWifi Console (complete these first):​

RouterOS Version Requirements​

RADIUS Configuration​

Wireless Security Profile​

802.11u / Interworking Configuration​

RouterOS 7.x (CLI)​

Hotspot 2.0 (HS2.0) Settings​

NAI Realm Configuration​

Roaming Consortium (OIs)​

Apply to Wireless Interface​

Complete Configuration Example​

GUI Configuration (WinBox)​

Verification​

Troubleshooting​

Clients Don't Discover Network​

Authentication Fails​

Roaming Not Working​

Related Topics​