Hello!


I'm trying to set up capsman v2 + wpa2-eap. In 2008 domain everything works , including one controller 2012r2 with NPS. ( Forest level 2008) . But on the new controller with the same settings topic ( forest level 2012 r2) does not work. (pptp and l2tp with radius and NPS works)What could be the Problem ?

I am having a similar issue. Apparently this is not possible at this point in time, or MikroTik Support does not know how to configure it. Everything they have told me over the last 3 weeks has not worked, and they claim they see nothing coming back from the RADIUS server. Does Windows not respond to the MikroTik messages? Is there some incompatibility between MikroTik and Windows 2012 NPS? I have yet to find answers to these questions, and am at the point where I will have to abandon this and move on to a different solution.

Anybody?

Maybe
this changes

DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

Authenticate with NTLM authentication

Use DES or RC4 cipher suites in Kerberos pre-authentication

Be delegated with unconstrained or constrained delegation

Renew user tickets (TGTs) beyond the initial 4 hour lifetime

Authentication Policies

New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.

Authentication Policy Silos

New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

https://technet.microsoft.com/en-us/lib ... 10%29.aspx

After configuring Windows 2012 NPS, FreeRADIUS AND Windows 2008 NPS, all giving the same results, it leads me to wonder if there is a problem that has been introduced into the RouterOS at some point. I found a post where it mentions that in 6.24 or 6.25 RADIUS works, but in 6.28 it does not. Also numerous posts about 6.25 and Win2k8 NPS working. I am specifically running RouterOS 6.36, not 6.36.2. Radius servers are FreeRadius 4.x, Windows 2008 with NPS, and windows 2012 with NPS. The Windows server logs show the server is sending back a reason-code 0, which, according to everything I have found is the same as the FreeRadius Authenticate = ok. The FreeRadius server is sending back an Authenticate = ok. From what I understand that means the Radius server has accepted the message, and everything is agreeable. However, the MikroTik basically ignores that message and resends the request until it completely times out.

Can anyone confirm this, either through more knowledge of the Radius process than me, or by actually configuring a Win 2k8 or 2012 server and trying it? I know the servers are configured correctly, because they allow our Cisco Meraki units to authenticate wifi users.

Basically, what we are trying to accomplish to allow our wifi users to connect automatically via their domain login credentials. I have spent nearly 1 month working on this, and have not as yet found a solution. PLEASE someone point out where I am wrong in this process, and I will gladly publicly acknowledge my mistake and their knowledge!

Thank you!

Anybody else gotten anywhere with this? I had to give up and stop using CAPsMAN and RADIUS due to other projects.

Thanks!

Yes it works for sure. I have it working on my home lab for about 6 months now. What seems to be the problem? (The forest and domain functional level is 2012)

Here is the export with some garbage from the pre-capsman era. (I don't believe they are needed, but i never bothered deleting them)