Hello there,
I’ve got Active Directory with some users, and now I’m going to give them possibility of working remotely on domain. I’ve got PPTP VPN server on Mikrotik Routerboard. The answer for automatic authentication using AD credentials is NPS server. I’ve done everything as in this tutorial: https://mivilisnet.wordpress.com/2018/10/01/how-to-integrate-your-mikrotik-router-with-windows-ad/
But unfortunately I’m getting Error 691 when I try to connect to VPN.
I did some research and I read logs from Winbox:
However, in RADIUS status there are no packets sent.
On NPS there are no logs, that Mikrotik tried to authenticate.
I did tracert on NPS IP, and UDP 1812 port, and I’ve got logs on NPS server, that it got invalid RADIUS message, so it’s not firewall problem.
Additionally, as your AD credentials will be encrypted you cannot use CHAP authentication. Simple authentication mechanisms have the following requirements for RADIUS credentials:
PAP - plaintext or encrypted
CHAP - plaintext
MSCHAPv2 - plaintext or MSCHAPv2
Also, don’t use PPTP for VPNs as it is very insecure.
Okey, problem is solved. It was my bad, because in Mikrotik RADIUS config there’s field DOMAIN and I put there FQDN. I didn’t know that this field is used by Mikrotik to forward auth to proper RADIUS server eg. when I log in as YYY\user, Mikrotik watches if there’s RADIUS for domain YYY, and then pass credentials to it. When I changed this field to domain name used for log in, everything is OK. I feel like a newbie now, but most important is that everything is working good.
i have windows PDC with Radius and Mikrotik with “use radius” checked and radius server set:
but pptp log shows that authentication goes as simple mschap2 no radius at all:
need help - what can be wrong?
