Radius not work since upgrade to 6.43

temesi · September 12, 2018, 11:06am

Hello,
I upgraded various CPE with ROS 6.43. When I updated to last version, Radius auth don’t work. Now, I reading in changelog of last version and I see this line:

*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);

I understand, that i can change my radius configuration and encrypt my user’s passwords. But, this solution is one big problem because I loose compatibility between versions. Update ALL my routers to last version ( isn’t possible now ) or not update any router to last version.

Please, anyone have any idea about this affair?

Best regards,

Dimitarstaykov · September 24, 2018, 8:42am

We have the same issue. Radius is based on win srv 2012 r2. It is set to use ms-chap v2 (was ms-chap) an still didn’t working. With 6.42.x everythnk was fine. On 6.42x i had to set “store password using reversible encription” for users in active directory. In 6.43 I tried with checked and unchecked option for password encription but again still no luck.
Mikrotik team please fix this because it is a serious issue espesialy after gdpr requirements!!!

Dimitarstaykov · September 24, 2018, 9:39am

This fixed my issue:

If for whatever reason you ‘must’ use MS-CHAPv2, you can enable NTLMv2 authentication is RAS by adding the following registry entry:

Click Start, click Run, type regedit in the Open box, and then click OK.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type Enable NTLMv2 Compatibility, and then press ENTER.
5. On the Edit menu, click Modify.
6. In the Value data box, type 1, and then click OK.
Quit Registry Editor.
Restart server

temesi · September 26, 2018, 11:04am

Thnks guys,

but… if update radius we lose compatibility between versions ?

For your general information, we open ticket in Mikrotik last 15/09/2018 and for this time not receive any notice from their. Good service.

Dimitarstaykov · September 26, 2018, 11:29am

We didn`t tested this case. We jumped blind in 6.43.2 with updated radisu settings. According to reg key name it is about compatibility. Its not a force of NTLMv2 so it could work with both ntlm v1 and v2

In our network all mkts are currently with the same firmware and this is a company policy
You can create two network policies in radius server. One for 6.43 with enabled MS-CHAP v2 and you will have to specify the Client IPv4 addresses of routers with firmware 6.43 and one for 6.42 without MS-CHAP v2 and with specified routers ip addresses with 6.42 frmw

temesi · September 27, 2018, 10:45am

Thnks!

We decide to freeze mikrotik’s version for now, in 6.42.7. And not updated to version great than 6.43.
In this case, are a very lot of router for change firmaware. And is not possible with massive practices.

For general information, today Mikrotik response my ticket.

nwisp · October 2, 2018, 7:17pm

Any clue on how to setup FreeRADIUS to work with 6.43? I will need to also maintain my Mikrotiks at 6.42.9 until this is resolved.

Deantwo · November 20, 2018, 10:16am

Pretty sure that specific line is not related to radius.
Instead see v6.43’s

!) radius - use MS-CHAPv2 for “login” service authentication;

Other than that, I am also having issues with user login with radius on my one router that is now running v5.43.2. The radius server logs show that some of the communication is different compared to my over v6.40.8, but I don’t know the details.