Effortless, secure wireless network

Starting with RouterOS v6.25, support for WPS is announced - an excellent technology for quickly connecting clients without problems with long passwords. Contrary to the widespread hype about the security problems of WPS, with proper implementation and understanding of the mechanism of its work, technology becomes a great helper in the hands of a sysadmin.

There are two types of connection via WPS - entering the PIN code and pressing the WPS button on the router. Only an early implementation with a PIN-code is subject to attacks, the developers decided not to implement this type of connection at all and did it right - there is no way to go through it. The second method implies that at the moment of connecting to the access point, the corresponding button is programmatically or physically pressed on it and the client connects to the point fully automatically. This is the way we will use in our work. Under the cut detailed instructions for setting up and using WPS on the Mikrotik.

How it works

The physical button for WPS appeared only in the last few Mikrotik routers, in all the others it needs to be pressed programmatically. And the administrator should be comfortable to press it, without going into the settings of the router every time. I fulfilled the implementation of this idea, the essence comes down to the following: WPA2 complex password is put on the access point, for example 32 characters (maximum 64 is better not to put, not all clients understand this length, although they should according to the standard), then a shortcut is pressed on the administrator’s desktop WPS and the client you need to connect to our point in two minutes. In order to avoid connecting third-party clients, it’s better to do a little bit the opposite: first, the client tries to connect to the access point (a password is expected or the WPS button is pressed), then the administrator clicks on the WPS and the client instantly connects to the network. The label on the table is for example, the implementation can be anything from SMS to control from the phone.
')

Basic requirements

The first thing we need to do is upgrade RouterOS to version v6.25 or higher. Then from the download page download the Wireless CAPsMANv2 test packet (wireless-cm2 - *. Npk) and add it to the packages. WPS support appeared only in the second version of CAPsMAN, so the first version (wireless-fp - *. Npk) will be automatically disabled, just like standard wireless - *. Npk. Switching between packages can be done remotely; after a reboot, all access point settings are saved.

Interface definition

Secondly, we need to determine which interface we will “push” WPS. The fact is that from the WinBox interface, you can press WPS only for the main access point, although there can be as many as you like. To do this, we write “int wir pr” in the terminal, which means interface wireless print for short - only part of the command can be entered into RouterOS if it is unique. We remember the number of the interface we need, the WPS team will be sent to him. Suppose we need the number 0, it will be used later in the example.

Finishing touches

Third. We create a separate user specifically for the WPS team. The action is optional, but safer. Create a group wps, which we give only such rights: ssh, read, test. Create a wps user and add it to this group. At the same time, we check that ssh (ip services) is enabled in the microtic, edit the allowed address range for the input and, if necessary, set up a non-standard port.

Double click

At the router itself everything is ready, it remains only to connect to it and send a command. Putty or its console analog plink is perfect for this purpose. The command line will look like this:

putty.exe -ssh 192.168.1.1 -l wps -pw password -m wps.txt 

Next we create a file wps.txt with the following content: “int wir wps 0”, where 0 is the number of our interface, and the command itself is abbreviated from interface wireless wps-push-button. And we create a shortcut on the desktop with this command line with the opening of the window minimized to the icon - so the window will not flicker, especially in the case of plink. When you first start you will need to remember the ssh key, the rest will occur automatically and instantly execute our command. For a non-standard port, use the -P key, and if necessary, see the documentation.

It should be noted that the client must also support WPS for such a fast connection. It is supported by almost all devices on Android, but iOS does not support at all. Windows clients require WPS adapter support — older modules may not see it, but most laptops support without problems. A characteristic sign - when connecting to an access point under a password, a message should appear that, in addition to the password, you can also press the WPS button on the router. If this message is not present - the miracle will not occur.

Results

In organizations, it is especially important to pay due attention to wireless networks, and weak passwords are a major security threat. With this setting, WPS administrator can set the most complicated password and in one motion connect a new technique without the risk of password compromise.