Authentication Methods RADIUS VPN WINDOWS SERVER

krsz · January 26, 2019, 11:26pm

Hi everyone.
I have OpenVPN server on Cloud Hosted Router. I use Radius client on the same router to authentication VPN users in Windows Server Active Directory (2016).
But i have problem with Authentication Methods in Network Policies. Windows accepts login only when i check “Unencrypted authentication (PAP, SPAP)”.
So it is some problem with my mikrotik configuration, or it this scenario (OVPN server + radius) unencryped is only possible way?
Any help would be great

Krzysztof

Cvan · January 30, 2019, 10:45pm

Your RADIUS client is your Mikrotik router? And your RADIUS Server is?

krsz · January 30, 2019, 11:24pm

Its Windows Server 2016 as my RADIUS SERVER

and yeah… my client is mikrotik ROS

Cvan · January 31, 2019, 1:37am

Did you turn on ‘use radius’ in your MT router PPP / Secrets - PPP Authentication&Accounting ?

Good point… turn on radius logging

vecernik87 · January 31, 2019, 2:05am

@cvan: He clearly has working radius, if the “unencrypted authentication” is enabled in Windows Server Network Policy, therefore he must have this “use radius” setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled “unencrypted authentication”.
I can still use ROS Login via RADIUS even without “unencrypted authentication”, therefore I the connection in general works.
disclaimer: I never used OVPN and don’t really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn’t bring some solution.

Cvan · January 31, 2019, 4:30am

Good point… turn on radius logging

krsz · February 1, 2019, 5:26pm

For example:
18:20:47 ovpn,info : using encoding - AES-256-CBC/SHA1
18:20:47 radius,debug new request 1b:05 code=Access-Request service=ppp called-id=xxxxxxx domain=yyyyy
18:20:47 radius,debug sending 1b:05 to xxxxxxx:1812
18:20:47 radius,debug,packet sending Access-Request with id 8 to xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x67458b6bc6237b3269983c6473483366
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet NAS-Port = 15728643
18:20:47 radius,debug,packet NAS-Port-Type = 0
18:20:47 radius,debug,packet User-Name = “xxxxxxx”
18:20:47 radius,debug,packet Calling-Station-Id = “xxxxxxx”
18:20:47 radius,debug,packet Called-Station-Id = “xxxxxxx”
18:20:47 radius,debug,packet MS-CHAP-Domain = “xxxxxxx”
18:20:47 radius,debug,packet User-Password = 0x5a7172733338706263
18:20:47 radius,debug,packet NAS-Identifier = “R2 CHR”
18:20:47 radius,debug,packet MT-Realm = 0x737a612e6c6f63616c
18:20:47 radius,debug,packet NAS-IP-Address = xxxxxxx
18:20:47 radius,debug,packet received Access-Accept with id 8 from xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x5cbdcbc642ceb53684d075e8f39b93e0
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Class = 0xcf2709e10000013700010200c0a864fe
18:20:47 radius,debug,packet 000000001dbc2e4bcf8d935c01d4ba43
18:20:47 radius,debug,packet 6804ca350000000000000001
18:20:47 radius,debug,packet MS-Link-Utilizatoin-Threshold = 50
18:20:47 radius,debug,packet MS-Link-Drop-Time-Limit = 120
18:20:47 radius,debug,packet MS-MPPE-Encryption-Policy = 2
18:20:47 radius,debug,packet MS-MPPE-Encryption-Type = 14
18:20:47 radius,debug received reply for 1b:05

Cvan · February 3, 2019, 10:17pm

And what does the event viewer say in the AD/NPS logs on the Windows Server?

Are you specifying the domain attribute on the RADIUS client?

NAS-Port-type should be 5 (Virtual)

krsz · February 22, 2019, 3:50pm

No.

How i can change it in RouterOS?

velonet · June 4, 2019, 9:05am

Hello krsz,

Have you been able to figure out a way to have your Mikrotik sending identification information in a secure fashion to the MS radius server?

I, obviously, encounter the same issue, and it’s very frustrating to see messages in the NPS server stating that the user tried to use an authentication method that is not activated when only encrypted authentication is active.

And even more frustrating when you disable encryption (even if it’s only in my LAN, I don’t want to have clear text password transiting on my network).

tarmof · February 9, 2020, 1:06pm

Same problem here.
Have anyone found solution?

TRNX · September 10, 2020, 6:31am

Hello. I have the same problem. Can´t authenticate OpenVPN via RADIUS if I didn´t allow PAP in NPS If I allow using PAP everything works perfect.
Still no solution?

xeonforcecz · September 15, 2021, 1:31pm

I have the same “problem”. When using L2TP there is posiible to use mschap, but i guess that is thanks to setting under PPP → L2TP server → Authentication. There is no such setting when using OVPN which then causes unsecure radius verification.

@mikrotik could you give us a hint how to sanitize this?

Rbo · February 6, 2022, 7:23pm

Same for me.
Would be nice if someone shed the light on this topic.
Maybe its the only one avaliable method of auth for ovpn in Radius.

nevolex · September 11, 2023, 8:45am

I have the same issue, I can’t believe this wouldn’t support anything else but pap in openvpn configuration, will send an email to mikrotik to double check

velonet · September 11, 2023, 8:49am

Cool. Let us know what they say.

nevolex · September 12, 2023, 12:42pm

Sadly but true, they confirmed that ROS only supports PAP auth mode for Radius Authentication for OpenVPN