I am working on a authentication solution for VPNs to our Mikrotik devices. The configuration uses an external RADIUS server (NPS) which Mikrotik talks to to authenticate against our cloud Active Directory (Azure AD Domain Services). I got it to work with MS-CHAPv2 but it seems that Mikrotik doesn’t support EAP authentication for the PPP service.
Am I missing something or is there really no support for EAP with VPN authentication? Seems like quite a security risk to only support MS-CHAPv2 as the best authentication protocol, since it was cracked quite a few years ago.
I’ve hit the same just for sstp. The remote sstp server only accepts EAP (0xc227) as authentication option while ROS sstp-client seems not to support that (couldn’t find any option for ppp-client either).
(the other unrelated issue is that ROS sstp-client only supports ssl3 ciphers meaning that an properly configured remote allowing tls1.2 only including ciphers will fail tls setop – I worked around that with a socat container).
I verified that the linux sstp-client/pppd works fine with this specific remote if selecting EAP for auth.
To my knowledge, if you want to use EAP authentication on VPN connections, MikroTik currently supports it only in the IPsec protocol (it also works with NPS and the AZURE plugin)