Upgrade to MS-CHAPv2 RADIUS for >6.43

Deantwo · January 30, 2019, 3:13pm

I am attempting to figure out the best way to upgrade from my old RADIUS server to a new MS-CHAPv2 RADIUS server. I would prefer a backward compatible solution, so routers running <6.43 can use the same configuration as >6.43.

Googling for the answer seem to most of all just point me to a post I wrote myself about not knowing how to do it.

Using an ActiveDirectory RADIUS server, but I am not the one in charge of it so I don’t know the specifics.

Cvan · January 30, 2019, 10:43pm

I am using Active directory RADIUS server and mAP lite as the radius client and it works fine with AD/Radius Authentication (MS-CHAPv2).

Deantwo · February 4, 2019, 1:51pm

I am told that the guide on the wiki/manual aren’t much help anymore.
This: https://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

I sendt an e-mail to support about getting the guide updated and possibly some help with this.

Deantwo · February 5, 2019, 9:36am

We got the new RADIUS server to work with MS-CHAPv2 and RouterOS v6.43.
I’ll bug my server guy to find out what he did on the server to make it work.

I have one fun fact with backward compatibility, a router running <6.43 can still use a MS-CHAPv2 RADIUS, but only for WinBox login. Trying to open the terminal window in WinBox will give a login failure.
But if we can login with WinBox we can upgrade the router to >6.43, so this should be more than enough.

gerarivero · January 28, 2020, 2:11pm

What do you mean with …“router running <6.43 can still use a MS-CHAPv2 RADIUS”, do you have any setup working with routerOS versions < 6.43 and mschapv2?

We have acomplish an authentication system with RouterOS > 6.43 with freeradius and Active Directory integration, but the problem is to get this work with routerOS version prior to 6.43.

Have you any advice?

Thanks in advance

jerryroy1 · February 6, 2020, 8:06pm

Can you export your config so we can see what you have set?

jerryroy1 · February 6, 2020, 8:21pm

Can you export your radius config portions?

Cvan · February 6, 2020, 11:28pm

Service: ppp,dot1x
Called ID:
Domain:
Address: AD Radius server IP address
Protocol: UDP
Secret: *******
Auth Port: 1812
Acct port: 1813
Timeout: 300
Account Backup:
Realm: my_domain
Certificate: none
Src. Address: MT router (Radius Client) IP address

The AD configuration for the Radius Server is more complex then the MT side.