AD authentication for wlan connections

petterg · November 26, 2014, 8:46am

Device: rb433gl, ros 6.7, 2x wlan.

I’m trying to setup a wlan on microtik so that users will use their username/password in AD to connect.

I’ve got to the point where computers that are members of the domain (and has a certificate from the domain installed) will connect using the certificate and not ask for username/password. But I want this to work with computers/mobiles that are not members of the domain. I want them to type in their (domainname/)username/password.

I’ve got it working on a cisco AP using this guide:
http://jackstromberg.com/2013/05/tutorial-802-1x-authentication-via-wifi-active-directory-network-policy-server-cisco-wlan-group-policy/

As it works on the cisco and not on the mikrotik I guess the radius server is setup correctly, and I think there must be something in the cisco config that I’ve missed when trying to do the same in mikrotik.

Here is what I have on the running config, the one that (unintentionally) works with domain certificate authentication, but not with (domain/)username/password authentication.

/radius
add address=10.61.6.55 secret=password service=ppp,login,wireless src-address=10.61.6.216

/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap mode=dynamic-keys name="WIFIradius" radius-eap-accounting=yes radius-mac-mode=as-username-and-password supplicant-identity="WIFI216" tls-mode=dont-verify-certificate

/interface wireless
add disabled=no l2mtu=2290 mac-address=02:0C:42:6C:B8:AA master-interface=wlan1 name=C-WIFI security-profile="WIFIradius" ssid=testWIFI wds-cost-range=0 wds-default-cost=0

When using domain\user and password to connect from a pc not member of the domain, the radius server denies access logging the following:

Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.

So it seems like the mikrotik sends some kind of certificate to the radius server, and not the username/password.

Which setting am I missing?

lucky79 · November 26, 2014, 2:20pm

I have had this configured some time ago without the certificate verification and all of the setting was on the radius server and client. Mikrotik was just passing the authentication requests to the radius server. The security profile setting export is below and it was working fine against linux freeradius server verifying to AD using NTLM.

/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=\
    aes-ccm group-key-update=5m interim-update=0s management-protection=\
    disabled management-protection-key="" mode=dynamic-keys name=radius \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=test tls-certificate=none \
    tls-mode=dont-verify-certificate unicast-ciphers=aes-ccm \
    wpa-pre-shared-key="" wpa2-pre-shared-key=""

/radius
add accounting-backup=no accounting-port=1813 address=172.31.83.23 \ 
    authentication-port=1812 called-id="" disabled=yes domain="" realm="" \
    secret=XXXXXXX service=wireless timeout=300ms

petterg · November 28, 2014, 12:24am

Thanks. Your config did the trick. This config now works excellent with radius on windows server 2012.
The required changes was mac-mode=username, and disable eap-accounting.

lucky79 · November 28, 2014, 9:13am

I thought the problem might be in the mac-mode but was not exactly sure I am glad its working for you now

hchituwu · August 16, 2019, 8:29pm

Hie guys is there a way i can test locally if my radius is working well, same tool as radtest on freeradius that i can use on NPS, my mikrotik requests are not seen on event viewer.