Security Profiles
Security Profiles
Section titled “Security Profiles”Security profiles define the encryption and authentication settings applied to wireless interfaces in RouterOS. Every AP and station interface references a security profile to control who can connect and how traffic is protected.
Overview
Section titled “Overview”RouterOS supports two wireless configuration stacks:
- Legacy wireless package (
/interface wireless): Available on all RouterOS versions. Manages security via/interface wireless security-profiles. - Modern WiFi package (
/interface wifi): Available on RouterOS 7.x with supported hardware. Security configured via/interface wifi security.
Access control for both stacks uses the access-list (AP side, controls who can connect) and connect-list (station side, controls which APs to connect to).
Legacy Wireless Security Profiles
Section titled “Legacy Wireless Security Profiles”Creating a Security Profile
Section titled “Creating a Security Profile”/interface wireless security-profilesadd name=my-profile \ mode=dynamic-keys \ authentication-types=wpa2-psk \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ wpa2-pre-shared-key="YourStrongPassphrase"Assign the profile to an interface:
/interface wirelessset wlan1 security-profile=my-profileKey Parameters
Section titled “Key Parameters”| Parameter | Description |
|---|---|
mode | none (open), static-keys-optional, static-keys-required, dynamic-keys (WPA/WPA2) |
authentication-types | Comma-separated list: wpa-psk, wpa2-psk, wpa-eap, wpa2-eap |
unicast-ciphers | Per-client encryption: tkip, aes-ccm (AES-CCMP) |
group-ciphers | Broadcast encryption: tkip, aes-ccm |
wpa-pre-shared-key | Passphrase for WPA-PSK (8–63 characters) |
wpa2-pre-shared-key | Passphrase for WPA2-PSK (8–63 characters) |
eap-methods | EAP method for enterprise auth: eap-tls, eap-ttls-mschapv2, passthrough |
management-protection | Frame protection: disabled, allowed, required |
Best practice: Use
aes-ccmfor both unicast and group ciphers. Avoidtkip— it is based on WEP internals and is deprecated.
WPA2-PSK (Home/Small Office)
Section titled “WPA2-PSK (Home/Small Office)”The most common configuration for home networks:
/interface wireless security-profilesadd name=home-wifi \ mode=dynamic-keys \ authentication-types=wpa2-psk \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ wpa2-pre-shared-key="ReplaceWithStrongPassphrase"
/interface wirelessset wlan1 \ mode=ap-bridge \ ssid="HomeNetwork" \ security-profile=home-wifi \ default-authenticate=yes \ default-forward=yesWPA2-EAP (Enterprise / RADIUS)
Section titled “WPA2-EAP (Enterprise / RADIUS)”Enterprise authentication passes credentials to a RADIUS server. RouterOS acts as the authenticator, forwarding EAP exchanges upstream:
/interface wireless security-profilesadd name=corp-eap \ mode=dynamic-keys \ authentication-types=wpa2-eap \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ eap-methods=passthrough \ management-protection=allowed
/interface wirelessset wlan1 \ mode=ap-bridge \ ssid="CorpWiFi" \ security-profile=corp-eap
/radiusadd address=192.168.1.100 secret="radius-shared-secret" service=wirelessWith eap-methods=passthrough, RouterOS forwards all EAP frames to the RADIUS server and does not terminate EAP locally.
Dual Authentication (WPA + WPA2 Compatibility)
Section titled “Dual Authentication (WPA + WPA2 Compatibility)”For networks that must support older devices alongside modern ones:
/interface wireless security-profilesadd name=compat \ mode=dynamic-keys \ authentication-types=wpa-psk,wpa2-psk \ unicast-ciphers=tkip,aes-ccm \ group-ciphers=tkip,aes-ccm \ wpa-pre-shared-key="SamePassphrase" \ wpa2-pre-shared-key="SamePassphrase"Note: Enabling TKIP reduces overall network security. Use this only when legacy devices cannot be upgraded.
View and Manage Profiles
Section titled “View and Manage Profiles”# List all profiles/interface wireless security-profiles print
# Show detail for a specific profile/interface wireless security-profiles print where name=home-wifi
# Remove a profile/interface wireless security-profiles remove home-wifiModern WiFi Package Security (RouterOS 7.x)
Section titled “Modern WiFi Package Security (RouterOS 7.x)”The newer /interface wifi stack (available on RouterOS 7.x with the wifi package) separates security settings into dedicated objects and supports WPA3 natively.
Creating a Security Object
Section titled “Creating a Security Object”/interface wifi securityadd name=main-security \ authentication-types=wpa2-psk,wpa3-psk \ passphrase="YourStrongPassphrase"Assign to a configuration profile or directly to an interface:
/interface wifi configurationadd name=main-config ssid="MyNetwork" security=main-security
/interface wifiset wifi1 configuration=main-config disabled=noSupported Authentication Types
Section titled “Supported Authentication Types”| Type | Description |
|---|---|
wpa2-psk | WPA2 Personal (PSK) |
wpa3-psk | WPA3 Personal (SAE) |
wpa2-eap | WPA2 Enterprise (RADIUS) |
wpa3-eap | WPA3 Enterprise |
owe | Opportunistic Wireless Encryption (open networks) |
WPA3-Personal (SAE)
Section titled “WPA3-Personal (SAE)”WPA3-Personal uses Simultaneous Authentication of Equals (SAE), which eliminates offline dictionary attacks against the passphrase:
/interface wifi securityadd name=wpa3-home \ authentication-types=wpa3-psk \ passphrase="StrongerPassphrase"Mixed WPA2/WPA3 (Transition Mode)
Section titled “Mixed WPA2/WPA3 (Transition Mode)”Enable both to support WPA2 devices while newer devices use WPA3:
/interface wifi securityadd name=mixed-sec \ authentication-types=wpa2-psk,wpa3-psk \ passphrase="YourPassphrase"Opportunistic Wireless Encryption (OWE)
Section titled “Opportunistic Wireless Encryption (OWE)”OWE encrypts open network traffic without requiring a password. Useful for guest networks where you want encryption without a shared secret:
/interface wifi securityadd name=guest-open authentication-types=oweOWE transition mode allows both OWE and legacy open clients simultaneously by pairing two VAPs — one OWE-capable and one open — that advertise each other via BSS Transition Management.
WPA3-Enterprise
Section titled “WPA3-Enterprise”/interface wifi securityadd name=corp-sec \ authentication-types=wpa3-eap \ eap-methods=eap-tls \ eap-certificate-mode=verify-certificate
/radiusadd address=192.168.1.100 secret="radius-secret" service=wirelessAccess Control Lists
Section titled “Access Control Lists”Access-List (AP Side)
Section titled “Access-List (AP Side)”The access-list controls which clients an AP allows to authenticate and forward traffic. Rules are evaluated top-to-bottom; the first match applies.
Interface defaults (evaluated when no access-list rule matches):
| Parameter | Default | Description |
|---|---|---|
default-authenticate | yes | Allow unlisted clients to authenticate |
default-forward | yes | Allow unlisted clients to forward traffic |
Set both to no on the interface to implement allow-list behavior:
/interface wirelessset wlan1 default-authenticate=no default-forward=noAllow-List (Whitelist) Example
Section titled “Allow-List (Whitelist) Example”Only permit specific MAC addresses:
# Deny all by default/interface wirelessset wlan1 default-authenticate=no
# Allow specific MACs/interface wireless access-listadd interface=wlan1 mac-address=AA:BB:CC:DD:EE:01 authentication=yes forwarding=yes comment="Laptop"add interface=wlan1 mac-address=AA:BB:CC:DD:EE:02 authentication=yes forwarding=yes comment="Phone"Internet-Only Client (No Intra-BSS Forwarding)
Section titled “Internet-Only Client (No Intra-BSS Forwarding)”Allow a device to connect but prevent it from communicating with other wireless clients (useful for IoT devices):
/interface wireless access-listadd interface=wlan1 mac-address=00:11:22:33:44:55 authentication=yes forwarding=no comment="IoT device"Block a Specific Device
Section titled “Block a Specific Device”/interface wireless access-listadd interface=wlan1 mac-address=DE:AD:BE:EF:00:01 authentication=no comment="Blocked device"View Registration Table
Section titled “View Registration Table”# Currently connected clients/interface wireless registration-table print
# Show specific fields/interface wireless registration-table print detailConnect-List (Station Side)
Section titled “Connect-List (Station Side)”The connect-list applies to interfaces in station mode and controls which APs the station will connect to. Rules are evaluated top-to-bottom.
/interface wireless connect-listadd interface=wlan1 ssid="CorpNetwork" security-profile=corp-eap connect=yes comment="Office AP"add interface=wlan1 ssid="HomeNetwork" security-profile=home-wifi connect=yes comment="Home AP"add interface=wlan1 ssid="" connect=no comment="Block all others"| Parameter | Description |
|---|---|
ssid | Match on SSID (empty matches any) |
bssid | Match on specific AP MAC address |
security-profile | Required security profile to use if connected |
connect | yes to connect, no to block |
interface | Wireless interface this rule applies to |
Practical Configurations
Section titled “Practical Configurations”Home Network
Section titled “Home Network”/interface wireless security-profilesadd name=home \ mode=dynamic-keys \ authentication-types=wpa2-psk \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ wpa2-pre-shared-key="HomePassphrase123!"
/interface wirelessset wlan1 \ mode=ap-bridge \ ssid="HomeWifi" \ security-profile=home \ default-authenticate=yes \ default-forward=yesSeparate Guest Network (Isolated)
Section titled “Separate Guest Network (Isolated)”Create a second SSID on the same radio with no intra-client forwarding:
/interface wireless security-profilesadd name=guest \ mode=dynamic-keys \ authentication-types=wpa2-psk \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ wpa2-pre-shared-key="GuestPass2024"
# Add virtual AP for guests/interface wirelessadd name=wlan-guest \ master-interface=wlan1 \ mode=ap-bridge \ ssid="GuestNetwork" \ security-profile=guest \ default-authenticate=yes \ default-forward=no
# Isolate guest traffic (example: bridge with no local forwarding)/interface bridgeadd name=br-guest
/interface bridge portadd interface=wlan-guest bridge=br-guest horizon=1IoT Isolation with MAC Allow-List
Section titled “IoT Isolation with MAC Allow-List”/interface wireless security-profilesadd name=iot \ mode=dynamic-keys \ authentication-types=wpa2-psk \ unicast-ciphers=aes-ccm \ group-ciphers=aes-ccm \ wpa2-pre-shared-key="IotNetworkPass"
/interface wirelessadd name=wlan-iot \ master-interface=wlan1 \ mode=ap-bridge \ ssid="IoT-Net" \ security-profile=iot \ default-authenticate=no \ default-forward=no
/interface wireless access-listadd interface=wlan-iot mac-address=AA:BB:CC:11:22:33 authentication=yes forwarding=no comment="Thermostat"add interface=wlan-iot mac-address=AA:BB:CC:44:55:66 authentication=yes forwarding=no comment="Smart Plug"Troubleshooting
Section titled “Troubleshooting”Client Cannot Authenticate
Section titled “Client Cannot Authenticate”- Verify the security profile passphrase matches on both sides.
- Check
default-authenticate— if set tono, the MAC must be in the access-list. - Check the access-list for a blocking rule:
/interface wireless access-list print- Review logs for authentication errors:
/log print where topics~"wireless"Client Connects but Cannot Reach Network
Section titled “Client Connects but Cannot Reach Network”Check default-forward and per-entry forwarding setting:
/interface wireless access-list print detailIf forwarding=no, the client cannot send traffic to other wireless clients or through the AP.
Check Active Clients and Signal
Section titled “Check Active Clients and Signal”/interface wireless registration-table print/interface wireless monitor wlan1See Also
Section titled “See Also”- WiFi Guide - Complete WiFi setup and configuration
- WiFi 6 and RouterOS 7 - Modern WiFi package and WPA3
- Interworking Profiles - Hotspot 2.0 and 802.11u
- CAPsMAN - Centralized AP management and security
- HotSpot - Captive portal authentication