Dear All,
I need to configure mikrotik router board hotspot to authenticate with active director domain controller with IAS installed (Windows Server 2003), but in all the scenarios I found need certificate server to issue certificates to each client, which I have to install manually to each one. This is not feasible; do any one advice me how to configure ISA on windows server 2003 to work with hotspot by a simple way,
Each user in the active directory can access the hotspot with his username and password,
Thanks in advance

You do not need certificates.

In IAS simply simply create a client that corresponds with the RouterOS device and devise a shared secret. Then make an access rule that permits access to the appropriate group. On RouterOS enable the RADIUS client and enable RADIUS authentication on the Hotspot instance.

thx, but I cann't login, the following information is given:
Reason Code: 19
Reason: The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

and I did both of them in the user account and in the group ploicy i enabled reversibly encrypted password, and still not working.
any advice

It's working thx guys,
but I would like to use CHAP not PAP,
any help

You do not need certificates.

In IAS simply simply create a client that corresponds with the RouterOS device and devise a shared secret. Then make an access rule that permits access to the appropriate group. On RouterOS enable the RADIUS client and enable RADIUS authentication on the Hotspot instance.

just want to know if you can create a sample access rule to show what needs to be done?
I am a beginner with MS Server Active Directory and kind of fumbling my way through it.

I am trying to do the same thing. I want the hot spot user to be able to authenticate against the Active Directory login rather than the Mikrotik User Manager login.

The ideal situation is to have the hotspot pull up the active directory login rather than the html login and authenticate against the Active Directory login rather than the Mikrotik User Manager login.

In the IAS configuration screen, go to Connection Request Processing > Connection Request Policies and ensure there is a policy named "Use Windows authentication for all users" in processing order 1. There should only be one policy condition (Day-And-Time-Restriction) that is set to cover all hours on all days. The profile ("Edit Profile...") should be set to authenticate requests on the server.

Set up a Remote Access Policy depending on your conditions. You could, for example, have something along the lines of "NAS-IP-Address is 10.1.0.1" and "Windows-Group matches \MYDOMAIN\MyGroupName". Again edit the profile and make sure PAP is turned on as a method on the Authentication tab. Grant remote access permissions when the conditions are matched.

Add a RADIUS client, matching a friendly name, IP address, and shared secret.