How to Configure the Mikrotik hAP ax lite as a WiFi Client (WPA2-Enterprise)

August 6th at 4:20pm

I'll be at DEF CON 31 next week and in preparation for the event have upgraded my portable wifi router to a Mikrotik hAP ax lite. My preference is to have a separate device handle WiFi connectivity to conference networks and use wired connectivity to the various devices I like to operate during the event. What I like about the hAP ax lite is that it is powered through a USB-C connector and includes the capability to act as a WiFi client to pass traffic back to the 4 ethernet jacks provided on the back of the unit.

As this is my first time configuring a Mikrotik router, I want to document it for future reference.

References

Manual: Wireless PEAP client with FreeRADIUS [wiki.mikrotik.com]
Can I do CLIENT mode WPA2 Enterprise (802.1x) PEAP? [forum.mikrotik.com]
cant set password with certain special chars from command line [forum.mikrotik.com]
Manual:Scripting (Constant Escape Sequences) [wiki.mikrotik.com]
how To "$" in terminal? [forum.mikrotik.com]
v7.5 [stable] is released! [forum.mikrotik.com]
WifiWave2 [help.mikrotik.com]
couldn't add new DHCP client - can not run on slave interface [forum.mikrotik.com]
Routerboard configuration as WiFi client [forum.mikrotik.com]

Goal

Get the Mikrotik to connect to a WPA2-Enterprise network and provide DHCP addresses to devices which connect to the LAN ports.

For reference, I appear to be running RouterOS v7.8 (stable)... At least that's what it shows when I login to the web interface

Process

I admit I'm still acclimating myself to the Mikrotik Web Interface and there may be an easier way to go about this process. Here's what worked for me:

1- Connect to the Mikrotik using an ethernet cable
2- Remove the WiFi interface from the Bridge (this is done from the Bridge -> bridge -> ports area). Note how this screenshot shows only 'ether' interfaces and no Wifi:

3- Configure the wifi interface to be the WAN interface

4- Set the WiFi interface to station mode (Wireless -> wifi)

5- While on the wifi interface screen, also set the following parameters (Security profile for the EAP Client):

SSID = Name of the Wireless Network that should be joined as a client
Authentication Types = WPA2 EAP
EAP Methods = PEAP
EAP Certificate Mode = dont verify certificate (** You may want this... for my use it would be counterproductive)
EAP Username = username for the enterprise network
EAP Password = password for the enterprise network
EAP Anonymous Identity = username which shows up in the server logs... masks your 'EAP Username' to prevent sniffing

5- Configure the wifi interface to be a DHCP Client

Once that is all setup, the Mikrotik should connect to wifi. It should also provide DHCP to clients on the LAN side as the default 'bridge' already supplies DHCP on that side.