Interworking Profiles
Interworking Profiles
Section titled “Interworking Profiles”Summary
Section titled “Summary”Interworking Profiles in RouterOS implement the IEEE 802.11u standard and Hotspot 2.0 specification to enhance wireless network discovery and selection. These profiles enable Access Points to advertise detailed network information to clients, facilitating better network selection based on user preferences, network capabilities, and service provider requirements.
This documentation covers configuration of Interworking Profiles in the regular Wireless package and the WifiWave2 package, both of which share identical parameters.
Overview
Section titled “Overview”What is Interworking?
Section titled “What is Interworking?”Interworking is the capability that allows two or more network systems to work together. In wireless networking, standard beacons and probe requests contain limited information about the network. The IEEE 802.11u-2011 standard was created to address this limitation by specifying how devices should exchange extended network information.
Key benefits include:
- Enhanced network discovery and selection criteria for client devices
- Support for public, private, and guest network classification
- Information about internet availability and network access requirements
- Emergency services reachability indicators
Hotspot 2.0
Section titled “Hotspot 2.0”Hotspot 2.0 is a Wi-Fi Alliance specification designed to provide a more cellular-like experience when connecting to Wi-Fi networks. It builds upon IEEE 802.11u interworking and adds:
- Mandatory WPA2 authentication for improved security
- Additional ANQP (Access Network Query Protocol) elements
- Operator and venue information advertising
- WAN status reporting for load balancing
Configuration Properties
Section titled “Configuration Properties”Sub-menu: /interface wireless interworking-profiles
Information Elements in Beacon and Probe Response
Section titled “Information Elements in Beacon and Probe Response”These parameters control information included in beacon and probe response packets:
| Property | Description |
|---|---|
| asra (yes | no; Default: no) | Additional Steps Required for Access. Set to yes if users must complete additional steps to access the internet, such as a walled garden portal. |
| esr (yes | no; Default: no) | Emergency Services Reachable. Set to yes to indicate emergency services are accessible through this AP. |
| hessid (MAC address) | Homogenous Extended Service Set Identifier. Identifies APs providing access to the same external networks. Should be globally unique - typically use one of the AP MAC addresses in the service set. |
| internet (yes | no; Default: yes) | Indicates whether internet access is available through this connection. Included in the Interworking element. |
| network-type (see below; Default: wildcard) | Network access type classification. Values: emergency-only, personal-device, private, private-with-guest, public-chargeable, public-free, test, wildcard |
| uesa (yes | no; Default: no) | Unauthenticated Emergency Service Accessible. Indicates whether unauthenticated emergency services are reachable. |
| venue (venue; Default: unspecified) | Venue where the AP is located. Examples: business-bank, mercantile-shopping-mall, educational-university-or-college |
Network Type Values
Section titled “Network Type Values”- emergency-only: Network dedicated to emergency services only
- personal-device: Network of personal devices (e.g., camera attached to printer)
- private: Network for users with accounts (enterprise/employee use)
- private-with-guest: Private network with guest access available
- public-chargeable: Public network requiring payment (subscription, hotel internet)
- public-free: Free public network (municipal, airport)
- test: Testing/experimental network (not for production)
- wildcard: Client-side wildcard to match all network types
ANQP Elements
Section titled “ANQP Elements”ANQP (Access Network Query Protocol) allows clients to query for detailed network information before association. The following properties configure ANQP element responses:
| Property | Description |
|---|---|
| 3gpp-raw (hex string) | 3GPP cellular network advertisement (country/network codes). Helps Hotspot 2.0 clients select APs for 3GPP network access. See 3GPP TS 24.302 Annex H. |
| 3gpp-info (mcc/mnc) | Cellular network info in “mcc/mnc” format. Multiple pairs can be comma-separated. |
| authentication-types (url) | Required authentication types when asra=yes. Options: dns-redirection:url, https-redirection:url, online-enrollment:url, terms-and-conditions:url |
| connection-capabilities (protocol:port:state) | IP protocol/port availability information. Format: `protocol:port:closed |
| domain-names (list) | FQDNs of the Hotspot operator. Clients can check for credential suffix matches. |
| ipv4-availability (see below; Default: not-available) | IPv4 address availability type |
| ipv6-availability (available | not-available | unknown; Default: not-available) | IPv6 address availability |
| realms (string:eap-method) | Supported realms and EAP methods. Format: example.com:eap-tls,foo.bar:not-specified |
| realms-raw (hex string) | Manual NAI Realm ANQP element configuration |
| roaming-ois (hex string) | Organization Identifiers for roaming partners. Format: 03E48D8C036C3B6B (length + OI) |
| venue-names (name:lang) | Venue names with language codes. Example: CoffeeShop:eng,TiendaDeCafe:es |
IPv4 Availability Values
Section titled “IPv4 Availability Values”- not-available: No IPv4 available
- public: Public IPv4 address
- port-restricted: Port-restricted IPv4
- single-nated: Single NATed private IPv4
- double-nated: Double NATed private IPv4
- port-restricted-single-nated: Both port-restricted and single NATed
- port-restricted-double-nated: Both port-restricted and double NATed
- unknown: Availability unknown
Hotspot 2.0 ANQP Elements
Section titled “Hotspot 2.0 ANQP Elements”Additional ANQP elements specific to Hotspot 2.0:
| Property | Description |
|---|---|
| hotspot20 (yes | no; Default: yes) | Enable Hotspot 2.0 capability advertisement |
| hotspot20-dgaf (yes | no; Default: yes) | Downstream Group-Addressed Forwarding. no disables multicast/broadcast to clients. Use with multicast-helper=full. |
| operational-classes (list) | Available operational classes for other bands in the same ESS |
| operator-names (name:lang) | Operator names with language codes |
| wan-at-capacity (yes | no; Default: no) | Indicates AP/network at maximum capacity |
| wan-downlink (kbps; Default: 0) | WAN downlink speed in kbps (0 = unknown) |
| wan-downlink-load (0-255; Default: 0) | WAN downlink load (0=unknown, 255=100%) |
| wan-measurement-duration (0-65535; Default: 0) | Load measurement duration in tenths of seconds |
| wan-status (down | reserved | test | up; Default: reserved) | WAN connection status |
| wan-symmetric (yes | no; Default: no) | Whether WAN upload/download speeds are the same |
| wan-uplink (kbps; Default: 0) | WAN uplink speed in kbps (0 = unknown) |
| wan-uplink-load (0-255; Default: 0) | WAN uplink load (0=unknown, 255=100%) |
General Properties
Section titled “General Properties”| Property | Description |
|---|---|
| comment (string) | Short description of the profile |
| name (string) | Name of the Interworking profile |
Configuration Examples
Section titled “Configuration Examples”Basic Hotspot 2.0 Configuration
Section titled “Basic Hotspot 2.0 Configuration”Create a basic Interworking Profile for a public chargeable Hotspot 2.0 network:
/interface wireless interworking-profilesadd name="public-hotspot" \ network-type=public-chargeable \ internet=yes \ venue=business-unspecified \ venue-names="MyHotspot:eng" \ ipv4-availability=public \ ipv6-availability=available \ hotspot20=yes \ wan-status=up \ wan-downlink=50000 \ wan-uplink=10000Enterprise Network with RADIUS
Section titled “Enterprise Network with RADIUS”Configure an Interworking Profile for enterprise authentication with RADIUS:
/interface wireless interworking-profilesadd name="enterprise" \ network-type=private \ internet=yes \ venue=business-corporate-office \ venue-names="Headquarters:eng" \ authentication-types=online-enrollment:"" \ asra=yes \ realms=corp.example.com:eap-tls,corp.example.com:eap-aka \ ipv4-availability=public \ domain-names=corp.example.comConfiguring RADIUS for Wireless
Section titled “Configuring RADIUS for Wireless”Before using 802.1X authentication, configure the RADIUS client:
/radiusadd address=192.168.88.100 secret=radius_secret service=wireless timeout=1s
/interface wireless security-profilesadd name=dot1x-profile \ authentication-types=wpa2-eap \ eap-methods=passthrough \ management-protection=allowed \ mode=dynamic-keys \ radius-eap-accounting=yesAssigning Profile to Interface
Section titled “Assigning Profile to Interface”Apply the Interworking Profile to a wireless interface:
/interface wireless set wlan1 \ mode=ap-bridge \ security-profile=dot1x-profile \ interworking-profile=public-hotspot \ wps-mode=disabledFull Hotspot 2.0 with Operator Information
Section titled “Full Hotspot 2.0 with Operator Information”Complete configuration with operator details and roaming information:
/interface wireless interworking-profilesadd name="operator-hotspot" \ network-type=public-chargeable \ internet=yes \ hessid=00:11:22:33:44:55 \ venue=mercantile-shopping-mall \ venue-names="CityMall:eng,MallCiudad:es" \ operator-names="BestWiFi:eng,MejorWiFi:es" \ domain-names=bestwifi.example.com \ realms=bestwifi.example.com:eap-tls \ roaming-ois=03E48D8C,03A1B2C3 \ ipv4-availability=public \ ipv6-availability=available \ hotspot20=yes \ hotspot20-dgaf=yes \ wan-status=up \ wan-downlink=100000 \ wan-uplink=20000 \ wan-symmetric=noRealms Raw Configuration
Section titled “Realms Raw Configuration”For advanced NAI Realm encoding, use realms-raw with hex-encoded values. Each entry contains:
- NAI Realm Encoding (1 byte)
- NAI Realm Length (1 byte)
- NAI Realm (variable)
- EAP Method Count (1 byte)
- EAP Method Tuples (variable)
Example: 00045465737401020d00 decodes to:
- Encoding: 0 (RFC 4282)
- Length: 4
- Realm: “Test”
- EAP Method Count: 1
- EAP Method: TLS, no parameters
This is equivalent to realms=Test:eap-tls.
Troubleshooting
Section titled “Troubleshooting”Check RADIUS Status
Section titled “Check RADIUS Status”Monitor RADIUS communication for authentication issues:
/radius monitor 0Enable debug logging for detailed RADIUS messages:
/system loggingadd topics=radius,debug,packetView logs:
/log printMonitor Wireless Registrations
Section titled “Monitor Wireless Registrations”Check active client connections:
/interface wireless registration-table printCommon Issues
Section titled “Common Issues”- Clients not seeing Hotspot 2.0 network: Ensure
hotspot20=yesand wireless interface is in AP mode with security profile - RADIUS authentication failing: Verify RADIUS server reachable, correct secret, and service=wireless enabled
- Network type not matching: Clients may filter based on network-type - ensure correct
network-typesetting - No internet connectivity shown: Set
internet=yesand verifyipv4-availability/ipv6-availabilitysettings
MAC Address Authentication Format Issues
Section titled “MAC Address Authentication Format Issues”MAC address authentication (MAC auth) can fail due between what to format mismatches the client sends and what the RADIUS server expects. RouterOS sends the MAC address in the Calling-Station-Id attribute, but different systems expect different formats.
Common MAC Address Formats
Section titled “Common MAC Address Formats”| Format | Example | Notes |
|---|---|---|
| Colon-separated | AA:BB:CC:DD:EE:FF | Standard, most common |
| Dash-separated | AA-BB-CC-DD-EE-FF | Windows systems often use this |
| No separators | AABBCCDDEEFF | Some RADIUS servers prefer this |
| Cisco format | aabb.ccdd.eeff | Cisco equipment format |
RouterOS MAC Address Format Configuration
Section titled “RouterOS MAC Address Format Configuration”In RouterOS, the MAC address format sent to RADIUS is controlled by the mac-auth-mode setting:
/interface wifi securityset [find name="mac-auth"] mac-auth-mode=mac-as-usernameThe mac-auth-mode options determine both the format sent and whether the password is also sent:
| Mode | Username Format | Password |
|---|---|---|
mac-as-username | MAC address | MAC address |
mac-as-username-and-password | MAC address | Configured password |
mac-as-calling-station-id | Calling-Station-Id attribute | MAC address |
Troubleshooting MAC Auth Failures
Section titled “Troubleshooting MAC Auth Failures”-
Check the MAC address format your RADIUS server expects
Enable RADIUS debug logging to see what format RouterOS is sending:
/system logging add topics=radius,debug packet/log print -
Match the RADIUS server expectation
Some common RADIUS servers expect specific formats:
- FreeRADIUS: Often expects colon-separated or no separators
- Microsoft NPS: May expect dash-separated
- Cisco ISE: Typically accepts multiple formats
-
Convert format in RADIUS
If your RADIUS server is flexible, you can use rewrite rules:
rewrite {tld-var mac = "(..):(..):(..):(..):(..):(..)" % "%1%2%3%4%5%6"} -
Common symptoms of format mismatch
- Authentication fails immediately without retry
- RADIUS logs show no request received
- Client connects to WiFi but gets no IP (DHCP triggered after MAC auth fails)
Example: Configure MAC Auth with Specific Format
Section titled “Example: Configure MAC Auth with Specific Format”# Create security profile with MAC authentication/interface wifi security add name=mac-auth mac-auth-mode=mac-as-username
# Configure RADIUS to accept the connection/radius add address=10.0.0.1 secret=secret123 service=wireless
# Monitor authentication/interface wifi registration-table printRelated Topics
Section titled “Related Topics”- Wireless Index - Complete wireless documentation
- Security Profiles - WPA2/WPA3 and 802.1X configuration
- HotSpot - Captive portal configuration
- CAPsMAN - Centralized wireless management