6.36.3 + CAPsMAN v2 + WPA2-EAP + Win2008R2 NPS + eduroam

Yakon · September 14, 2016, 6:50pm

Hello
It is necessary to migrate from hotspot to WPA2-EAP with PEAP support.
NPS: in EAP types are allowed “Protected EAP (PEAP)”

/ Caps-man security print
1 name = "security-eduroam" authentication-types = wpa2-eap encryption = aes-ccm eap-methods = passthrough eap-radius-accounting = yes

NPS logs:

<Event>
        <Timestamp data_type = "4"> 09/14/2016 10: 45: 25.252 </ Timestamp>
        <Computer-Name data_type = "1"> DC2 </ Computer-Name>
        <Event-Source data_type = "1"> IAS </ Event-Source>
        <Service-Type data_type = "0"> 2 </ Service-Type>
        <Framed-MTU data_type = "0"> 1400 </ Framed-MTU>
        <User-Name data_type = "1"> NES \ kkuyukov </ User-Name>
        <NAS-Port-Id data_type = "1"> RB951G-2HnD-18-1-3 </ NAS-Port-Id>
        <NAS-Port-Type data_type = "0"> 19 </ NAS-Port-Type>
        <Acct-Session-Id data_type = "1"> 82,500,001 </ Acct-Session-Id>
        <Calling-Station-Id data_type = "1"> C0-4A-00-27-B7-33 </ Calling-Station-Id>
        <Called-Station-Id data_type = "1"> 4E-5E-0C-33-88-D7: eduroam-test </ Called-Station-Id>
        <NAS-Identifier data_type = "1"> RB1100Hx2-Skolkovo </ NAS-Identifier>
        <NAS-IP-Address data_type = "3"> 192.168.32.1 </ NAS-IP-Address>
        <Client-IP-Address data_type = "3"> 192.168.32.1 </ Client-IP-Address>
        <Client-Vendor data_type = "0"> 0 </ Client-Vendor>
        <Client-Friendly-Name data_type = "1"> Mikrotik </ Client-Friendly-Name>
        <Proxy-Policy-Name data_type = "1"> Use Windows authentication for all users </ Proxy-Policy-Name>
        <Provider-Type data_type = "0"> 1 </ Provider-Type>
        <SAM-Account-Name data_type = "1"> NES \ kkuyukov </ SAM-Account-Name>
        <Class data_type = "1"> 1 311 09.12.2016 11:43:17 192.168.32.6 548 </ Class>
        <Fully-Qualifed-User-Name data_type = "1"> NES.RU/itdept/Kuyukov Konstantin </ Fully-Qualifed-User-Name>
        <Authentication-Type data_type = "0"> 5 </ Authentication-Type>
        <NP-Policy-Name data_type = "1"> Mikrotik-VPN </ NP-Policy-Name>
        <Quarantine-Update-Non-Compliant data_type = "0"> 1 </ Quarantine-Update-Non-Compliant>
        <Packet-Type data_type = "0"> 1 </ Packet-Type>
        <Reason-Code data_type = "0"> 0 </ Reason-Code>
</ Event>
<Event>
        <Timestamp data_type = "4"> 09/14/2016 10: 45: 25.252 </ Timestamp>
        <Computer-Name data_type = "1"> DC2 </ Computer-Name>
        <Event-Source data_type = "1"> IAS </ Event-Source>
        <Class data_type = "1"> 1 311 09.12.2016 11:43:17 192.168.32.6 548 </ Class>
        <Fully-Qualifed-User-Name data_type = "1"> NES.RU/itdept/Kuyukov Konstantin </ Fully-Qualifed-User-Name>
        <Quarantine-Update-Non-Compliant data_type = "0"> 1 </ Quarantine-Update-Non-Compliant>
        <Acct-Session-Id data_type = "1"> 82,500,001 </ Acct-Session-Id>
        <NP-Policy-Name data_type = "1"> Mikrotik-VPN </ NP-Policy-Name>
        <Client-IP-Address data_type = "3"> 192.168.32.1 </ Client-IP-Address>
        <Client-Vendor data_type = "0"> 0 </ Client-Vendor>
        <Client-Friendly-Name data_type = "1"> Mikrotik </ Client-Friendly-Name>
        <Proxy-Policy-Name data_type = "1"> Use Windows authentication for all users </ Proxy-Policy-Name>
        <Provider-Type data_type = "0"> 1 </ Provider-Type>
        <SAM-Account-Name data_type = "1"> NES \ kkuyukov </ SAM-Account-Name>
        <Authentication-Type data_type = "0"> 5 </ Authentication-Type>
        <Packet-Type data_type = "0"> 3 </ Packet-Type>
        <Reason-Code data_type = "0"> 66 </ Reason-Code>
</ Event>

Mikrotik logs:

10:45:21 radius, debug, packet Signature = 0x0f2f6c8191f4d34c407bb556e9f8f271
10:45:21 radius, debug, packet Service-Type = 2
10:45:21 radius, debug, packet Framed-MTU = 1400
10:45:21 radius, debug, packet User-Name = "host / KKuyukov-new.NES.RU"
10:45:21 radius, debug, packet NAS-Port-Id = "RB951G-2HnD-18-1-3"
10:45:21 radius, debug, packet NAS-Port-Type = 19
10:45:21 radius, debug, packet Acct-Session-Id = "82500000"
10:45:21 radius, debug, packet Calling-Station-Id = "C0-4A-00-27-B7-33"
10:45:21 radius, debug, packet Called-Station-Id = "4E-5E-0C-33-88-D7: eduroam-test"
10:45:21 radius, debug, packet EAP-Message = 0x0201001d01686f73742f4b4b7579756b
10:45:21 radius, debug, packet 6f762d6e65772e4e45532e5255
10:45:21 radius, debug, packet Message-Authenticator = 0x9e539a771dc29fa3ca0c9288c06d1a1d
10:45:21 radius, debug, packet NAS-Identifier = "RB1100Hx2-Skolkovo"
10:45:21 radius, debug, packet NAS-IP-Address = 192.168.32.1
10:45:21 radius, debug, packet received Access-Reject with id 4 from 192.168.32.6:1812
10:45:21 radius, debug, packet Signature = 0x5b0fb9f981ab6af22c0e30089d137268
10:45:21 radius, debug, packet EAP-Message = 0x04010004
10:45:21 radius, debug, packet Message-Authenticator = 0x3fd7e0a106283cb37c2c34359a9693cf
10:45:21 radius, debug received reply for 58: 9d
10:45:25 radius, debug new request 58: 9e code = Access-Request service = wireless called-id = 4E-5E-0C-33-88-D7: eduroam-test
10:45:25 radius, debug sending 58: 9e to 192.168.32.6:1812
10:45:25 radius, debug, packet sending Access-Request with id 5 to 192.168.32.6:1812
10:45:25 radius, debug, packet Signature = 0x1b42edc2b4e81394cbd5b0f5f5b85ac2
10:45:25 radius, debug, packet Service-Type = 2
10:45:25 radius, debug, packet Framed-MTU = 1400
10:45:25 radius, debug, packet User-Name = "NES \ kkuyukov"
10:45:25 radius, debug, packet NAS-Port-Id = "RB951G-2HnD-18-1-3"
10:45:25 radius, debug, packet NAS-Port-Type = 19
10:45:25 radius, debug, packet Acct-Session-Id = "82500001"
10:45:25 radius, debug, packet Calling-Station-Id = "C0-4A-00-27-B7-33"
10:45:25 radius, debug, packet Called-Station-Id = "4E-5E-0C-33-88-D7: eduroam-test"
10:45:25 radius, debug, packet EAP-Message = 0x02010011014e45535c6b6b7579756b6f
10:45:25 radius, debug, packet 76
10:45:25 radius, debug, packet Message-Authenticator = 0x7f18ac5cd7f77d07e18b12f6e68ebe74
10:45:25 radius, debug, packet NAS-Identifier = "RB1100Hx2-Skolkovo"
10:45:25 radius, debug, packet NAS-IP-Address = 192.168.32.1
10:45:25 radius, debug, packet received Access-Reject with id 5 from 192.168.32.6:1812
10:45:25 radius, debug, packet Signature = 0x33bdd0f8e404fac878cac49e7cce8457
10:45:25 radius, debug, packet EAP-Message = 0x04010004
10:45:25 radius, debug, packet Message-Authenticator = 0xa4eadb45fb5cdb1500e89508b87e206a
10:45:25 radius, debug received reply for 58: 9e

How to configure authentication?
Help me, please

uldis · September 16, 2016, 8:13am

what does your Windows client reports in the Event Viewer as disconnection cause?

Yakon · September 16, 2016, 9:17am

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-EapHost" Guid="{6EB8DB94-FE96-443F-A366-5FE0CEE7FB1C}" /> 
  <EventID>3002</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>3</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-09-16T09:16:34.040072900Z" /> 
  <EventRecordID>91897</EventRecordID> 
  <Correlation ActivityID="{EBC08319-0F04-0001-3237-C4EB040FD201}" /> 
  <Execution ProcessID="1240" ThreadID="4956" /> 
  <Channel>Application</Channel> 
  <Computer>KKuyukov-new.NES.RU</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="TypeId">0</Data> 
  <Data Name="AuthorId">0</Data> 
  <Data Name="VendorId">0</Data> 
  <Data Name="VendorType">0</Data> 
  </EventData>
  </Event>

uldis · September 16, 2016, 9:48am

this log doesn’t show information that would help to solve the issue. Maybe you could look up some topic on the eduroam as there are multiple users where similar setup if working.

Yakon · September 16, 2016, 10:12am

I will try…
But is not only for eduroam.
Theme can be 6.36.3 + CAPsMAN v2 + WPA2-EAP + Win2008R2 NPS (PEAP only)

leemans · March 17, 2017, 1:33pm

Dear,

Hi,

I have it working at the moment.
We’re working in a domain environment and I’m testing at the moment the authentication WPA2 Enterprise AES instead of WPA Enterprise with TKIP.
Best way to get it working is to manually configure on the windows client the wlan profile.

Here are the RouterOS settings, Radius Server we use to authenticate with is Windows NPS 2012R2:

add authentication-types=wpa2-eap management-protection=allowed mode=
dynamic-keys name=Windows-NPS-WPA2 radius-eap-accounting=yes
radius-mac-mode=as-username-and-password supplicant-identity=“”

We have the setting ‘Automatically use my Windows logon name and password (and domain if any)’ checked on.

Hope this will help,
Patrick