Hi everyone, is mirkortik compatible to be a client of an external Radius server?
I just sing up with jumpcloud.com but cannot get mikrotik to athenticate to their radius server
I have my local radius server and have no issues connecting to it
tried to search on the internet but all the guides talk about the local server but not the cloud one
thank you
What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?
Provide an /export (or at least /radius export and config of the service you want using it) so we can help.
Personally I connect all our mikrotiks to a âcloud hostedâ Radius server in a different country for ppp auth without issue. Most likely - it is a configuration issue on either your mikrotik or radius server.
thank you
/radius
add address=18.182.131.248 secret=âsjsdfsdf$cEdfdsfgsdfsdltPGfsdfssdfdsfdsmsdfqfWr232wr3â
service=login,ipsec timeout=600ms
All I get is:
requests 1,2 - timeouts 1, 2 etc
I tried to use of of the testing tools on wondows and tested authentications of users and it works fine but how do I connect to that radius server via mikotik?
I have ikvev2 server but even for local authentication to mikrotik if that worked i would be happy
Looks like itâs a connectivity issue?? I disabled all the firewall rules and same issues
It works fine against FreeRADIUS.
It could be the RADIUS server does not support the required authentication methods - the JumpCloud documentation says âJumpCloud RaaS servers offer both EAP-TTLS/PAP and PEAP (MSCHAPv2) for authenticationâ, it doesnât indicate if it responds to requests with unsupported authentication methods or silently ignores them.
Since RouterOS v6.43 the login service uses MS-CHAPv2, note this is not the same as PEAP (more correctly PEAPv0/EAP-MSCHAPv2).
are you using foxpass?
No I am using Radiator on a cloud hosted Dedicated Server in a different country from most of my routers.
You can run debug radius log to get the packets being sent and any received to really drill down into the problem (And do the same level on the cloud end) this way you can see if its even being received or if its an auth problem etc.
600ms timeout ?
Perhaps as a test increase this slightly ?
Iâm aware that 600ms is like eternity but still âŚ
Apart from that, give JumpCall a call/mail and simply ask them ? âDo you guys reply to my radius-client with even if I would me making a invalid request?â
I mean, you have the shared-secret that is correct, I would assume the remote AAA-platform would reply with SOMETHING.
If you make requests with an invalid preshared key offcourse I can imagine the remote platform remains silentâŚ
Also, perhaps try a simple pre-shared key, perhaps there is some bug in RouterOS with such a long key or chars used.
you are sure your IP is not passed by some CGNAT gateway on its way out ? Basically JumpCloud has your correct public IP ?
Hello, I used both IBSng and FreeRadius3 there was no problem with RAS.
/interface wireless security-profiles
add authentication-types=wpa2-eap mode=dynamic-keys name=EAP_AP
supplicant-identity=Mikrotik
You need to set EAP Method=passthrough
Just now test login to mikrotik AP using RADIUS from jumpcloud
WiFi authentication is not the issue here. The OP wanted to authenticate logins to the Mikrotik itself which requires the RADIUS server to support plain MS-CHAPv2, not encapsulated EAP
Attempting to achieve the same thing (router admin login & VPN) with some success in JumpCloud.
For âloginâ:
Only authenticates using the JumpCloud âProtectâ app via push.
When we try and use the âmanualâ method (i.e. password + , + TOTP Google/MS Auth etc.. code) it fails with error âmschap: MS-CHAP2-Response is incorrectâ, so suspect authentication protocol issues.
For âVPNâ (ppp & ipsec):
If we set auth on Mikrotik to âpapâ, then the âmanualâ method above works.
If we set auth to âMSCHAPv2â then the âmanualâ route fails.
If we set auth to âMSCHAPv2â and use the JumpCloud âProtectâ app via push it works.
Again looks to be authentication protocol incompatibilities. Not advanced beyond that as yet.
Along the lines of my earlier post, the JumpCloud RADIUS Server documentation says:
Device or service endpoint that supports RADIUS and either EAP-TTLS/PAP or EAP-PEAP/MSCHAPv2 authentication methods. Simple PAP may also be used, but we highly recommend you use a more secure authentication protocol such as EAP-TTLS/PAP or EAP-PEAP/MSCHAPv2
It does not claim to support plain MSCHAPv2 so Mikrotik login service will not work, nor will PPP-based VPNs using CHAP, MSCHAPv1 or MSCHAPv2. Mikrotik do not support EAP passthough for PPP-based VPNs, but you should be able to use IPsec IKEv2 with the eap-radius authentication method.