Secure wireless network effortlessly

Starting with RouterOS v6.25, support for WPS has been announced, which is an excellent technology for quickly connecting clients without problems with long passwords. Despite the widespread hype about WPS security issues, with the correct implementation and understanding of the mechanism of its operation, the technology becomes an excellent assistant in the hands of the system administrator.

There are two types of WPS connection - entering a PIN code and pressing the WPS button on the router. Only an early implementation with a PIN code is susceptible to attacks; the developers decided not to implement this type of connection at all and did it right - there is no way to search. The second method implies that at the time of connecting to the access point, the corresponding button is pressed on it programmatically or physically and the client and the point are connected automatically. It is this method that we will use in our work. Under the cat, detailed instructions for setting up and using WPS on Mikrotik.

How it works

The physical button for WPS appeared only in the last few Mikrotik routers, in all the rest you need to press it programmatically. Moreover, it should be convenient for the administrator to click it, without going into the router settings every time. I implemented this idea, the essence boils down to the following: a complex WPA2 password is put on the access point, for example 32 characters (it’s best not to put the maximum 64, not all clients understand this length, although they should by standard), then on the administrator’s desktop clicks the shortcut WPS and the desired client must be connected to our point within two minutes. To avoid connecting third-party clients, it’s better to do the opposite: first, the client tries to connect to the access point (it is expected to enter a password or press the WPS button), then the administrator presses WPS and the client immediately connects to the network.

Basic requirements

The first thing we need to do is upgrade RouterOS to version v6.25 or higher. Then, from the downloads page, download the Wireless CAPsMANv2 test package (wireless-cm2 - *. Npk) and add it to the packages. WPS support appeared only in the second version of CAPsMAN, so the first version (wireless-fp - *. Npk) will be automatically disabled, as well as the standard wireless - *. Npk. The transition between packages can be done remotely, after a reboot, all settings of access points are saved.

Interface Definition

The second - we need to determine which interface we will “push” WPS. The fact is that from the WinBox interface you can click WPS only for the main access point, although there can be as many as you like. To do this, we write “int wir pr” in the terminal, which abbreviates interface wireless print - in RouterOS you can enter only part of the command if it is unique. We remember the number of the interface we need, it is to him that the WPS command will be sent. Suppose we need the number 0, it will be used later in the example.

Finishing touches

The third. We create a separate user specifically for the WPS team. The action is optional, but safer. We create a wps group, to which we give only such rights: ssh, read, test. We create the wps user and add him to this group. At the same time, we check that ssh (ip services) is enabled in Mikrotik, we edit the allowed range of addresses for entry and, if necessary, set a non-standard port.

Double click

Everything is ready on the router itself, it remains only to connect to it and send a command. Putty or its console analogue plink is perfect for this purpose. The command line will look like this:

putty.exe -ssh 192.168.1.1 -l wps -pw password -m wps.txt

Next we create a wps.txt file with the following contents: “int wir wps 0”, where 0 is the number of our interface, and the command itself is shortened from interface wireless wps-push-button. And we create a shortcut on the desktop with this command line with the opening of a window minimized into an icon - this way the window will not flicker, especially in the case of plink. At the first start, you will need to remember the ssh key, the rest will happen automatically and instantly execute our command. For a non-standard port, use the -P switch, and if necessary, see the documentation.

It should be noted that the client must also support WPS for such a fast connection. It is supported by almost all devices on Android, but iOS does not support it at all. For Windows clients, WPS adapter support is required - older modules may not see it, but most laptops support it without problems. A characteristic sign - when connecting to an access point, a message should appear under the password that, in addition to the password, you can also press the WPS button on the router. If this message is not there, a miracle will not happen.

Summary

It is especially important for organizations to pay due attention to wireless networks, and weak passwords are a major security risk. With this WPS setting, the administrator can set the most complicated password and connect new equipment in one motion without risk of compromising the password.