Skip to the content.

This short document describes how to get OpenRoaming working on MikroTik devices. It contains both the Web / GUI instructions, as well as CLI instructions.

It is expected that the reader has at least a minimum amount of Mikrotik knowledge.


MikroTik Configuration

Step 1 - Login

This should be fairly self explanatory - you need to connect to the device and login.


Select ‘WebFig’ to actually configure the device. Newcomers to Miktotik often assume that ‘Quickstart’ will help guide them through the setup, but it makes a config which it difficult to update / modify. It also is very restricted, and will not let you do most of the necessesary configuration. Remember WebFig!

Step 2 - Configure RADIUS on the MikroTik

This configures the MikroTik to connect to the RADIUS proxy. The RADIUS proxy will then connect to the OpenRoaming IDP. I’m assuming that you have already configured radsecproxy, if not, there is an example configuration at the end of this document.

Throughout this document, the things that you need to change are highlighted in blue (this is built into MikroTik’s web interface)

images/MikroTik RADIUS Config

As noted below, I am using ports 11812, 11813.

As usual, the parameters that you need to change are highlighted in blue. One worth noting is the ‘Wireless’ checkbox under ‘Service’ - it’s fairly easy to miss this if you are not paying attention!

Great. You should now have a working RADIUS configuration. Moving on.

CLI Configuration:

add accounting-port=11813 address=150.[ELIDED]
authentication-port=11812 comment=OpenRoaming
secret=2e[ELIDED] service=wireless timeout=4s

Step 3 - Configure the Wireless Security Profile.

This is configured under Wireless -> Security Profiles -> New. This is the same place that you normally configure WPA2 Pre-Shared Key (PSK) security, but we need to create a profile that uses WPA2 Enterprise (WPA2-EAP).

Wireless Security Profile

The “magic” here is that you need to choose ‘WPA2 EAP’ (Extensible Authentication Protocol) under ‘Authentication Types’, and ‘EAP Accounting’ under ‘RADIUS’. I set the ‘Interim Update’ to be ‘00:05:00’. Also set the Mode to ‘dynamic keys’. This means that the MikroTik will send an accounting update every 5 minutes. This is important for OpenRoaming, as it uses the accounting updates to figure out when a user has left the network.

CLI Configuration:

/interface wireless security-profiles
add authentication-types=wpa2-eap
interim-update=5m mode=dynamic-keys name=OpenRoaming
radius-eap-accounting=yes supplicant-identity=""

Step 4 - Configure OpenRoaming / Passpoint

So far we have just been configuring the MikroTik to talk to the RADIUS proxy. Now we need to configure the MikroTik to advertise OpenRoaming in the Beacons, configure IEEE 802.11u, ANQP, Roaming OIS and a bunch of other acronyms too…

This is done under Wireless -> Internetworking Profiles.

Click on ‘New’ to create a new profile.

Wireless Internetworking Profile

This is where you will need perform the most customization to match your deployment.

I configured this demo at home, and so I selected ‘residential private’ as the ‘Venue’ type, and ‘single nated’ as the ‘IPv4 Availability’. I have residential Comcast connectivity, and so I cannot (usefully) provide IPv6 connectivity to my guests, and so I have left the default of “No IPv6”. Make sure that you also select ‘Internet’ (assuming, of course, you are actually providing Internet connectivity).

The list of ‘Domain Names’ will vary based on your deployment - with this configuration I’m allowing people authenticated through Google and Apple to connect to my network.

Now for the more tricky bits – the ‘Roaming OIS’. The terminology here is somewhat confusing. This will allow you to advertise 24-bit roaming Organization Unique Identifiers (OUI) and / or 36-bit Roaming Consortium Identifier (RCOI).

Here I am advertising:

Note that this configuration will log the email address of people connecting to your OpenRoaming network:

RADIUS Proxy Logs

Hotspot 2.0/Passpoint used 24-bit IEEE assigned OUIs to identify the roaming consortium, but, annoyingly, I wasn’t able to find a public list of consortia.

The encoding of RCOIs is somewhat weird, because things don’t really align on byte boundaries. It is described in draft-tomas-openroaming - “WBA OpenRoaming Wireless Federation” (work in progress). The 24-bit IEEE assigned OUIs are extended to 36-bit OUI-36s, with the octets 4 and 5 used to encode the LoA, QoS, PID, ID-Type, etc. I used to manually set bits and then shift them, but have just discovered the WBA OpenRoaming Configurator tool which makes this much easier.

CLI Configuration:

/interface wireless interworking-profiles
name=OpenRoaming network-type=public-free

Step 5 - Configure the Wireless Interface

Finally, we are on the home stretch. We need to configure the wireless interface to use the security profile and internetworking profile that we just created.

I didn’t want to change my primary network to advertise OpenRoaming, so I created a new interface called ‘OpenRoaming’. This is done under Wireless -> Interfaces -> New.

Wireless Interface

The important things to note here are:

Remember to make sure that this network actually works (gets an IP address, that people connecting can reach the Internet, etc). I’ve found it easiest to first create the interface with a “normal” (WPA-PSK), known-working Security Profile and no Internetworking Profile, test it, and then enable the Security and Internetworking Profiles. If you do this, remember to “forget” the network in your phone when changing these, or your device will likely be confused.

CLI Configuration:

/interface wireless
add comment=OpenRoaming interworking-profile=OpenRoaming
mac-address=4A:A9:8A:19:F4:E2 master-interface=wlan1
name=OpenRoaming security-profile=OpenRoaming
ssid=OpenRoaming wds-default-bridge=bridge


Everything should now be working. Install an OpenRoaming client on your phone / test device, and connect to whatever SSID you have enable OpenRoaming on.

Login to the RADSEC proxy and check the logs (sudo journalctl -feu radsecproxy) to make sure that everything is working as expected:

RADIUS Proxy Logs

Radsecproxy Configuration

I install radsecproxy on a Debian 10 style system. The configuration is fairly simple, and is shown below. Note that you need a validly signed certificate from the WBA OpenRoaming CA. This document does not go into how you generate the Certificate Signing Request (CSR), get it signed, etc.

Certificate and Keys

The certificates and keys go in a directory called /etc/radsecproxy: Certificate and Keys

Actual radsecproxy configuration

I have configured my radsecproxy to listen on port 11812 and 11813. This makes it somewhat easier for me to debug (and I was already using 1812 and 1813 for other things).

The LogLevel parameter is very useful to debug what is actually happening, but the logs can grow quite large, so I’ve bumped it back down to 3.


The dynamicLookupCommand is what does the magic of looking up the realm in the OpenRoaming DNS. The dynamicLookupCommand is a script that is called by radsecproxy to figure out the IDP to use. This needs to be executable by the user that radsecproxy runs as. example