Freeipa radius ldap backend login

luigifanton · February 25, 2020, 9:49pm

Hi,
I’m trying (whitout success) to authenticate mikrotik on radius freeipa server with ldap backend.
Has anyone been successful?

mekatum · June 30, 2020, 5:35pm

Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik’s RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik’s L2TP-server with my LDAP login.

plantaznik · August 13, 2020, 9:19am

Hi mekatum,

I have the same problem. Newly installed FreeIPA with LDAP + freeradius.
Connections between Huawei, Cisco devices and FreeIPA server over the freeradius is OK but MikroTik doesnt work.

My questions is, how I change FreeIPA hash? Or how I add support NT HASH to my FreeIPA server?

Thank You for help.

Best
Plnt

yosefko · August 18, 2020, 6:08am

Hi,

we used OpenLDAP with freeRadius and use cleartext pass for Mikrotik and other vendors Cisco, Huawei, Zyxel…
We made similar setup as you “I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.”, but we cant authenticate on Mikrotik via this setup.
Please, could you help us in some way?
Thanks.

Yosefko

clovehitch · February 9, 2021, 10:35pm

I burnt a lot of time trying to get this to work.

most guides are 5+ years old
everyone that’s giving advice and tips seems to be using different versions
security issues trying to get this to work

The list kind of just goes on.

If someone could do a write up of all the steps needed for a fresh install of FreeIPA + FreeRADIUS I’m sure a lot of people would find it useful.

I gave up and just made a dedicated RADIUS server for mikrotik logins

FredNurk · September 27, 2022, 10:36am

I had managed to get this working with CentOS 8, Freeipa, freeradius and a mikrotik router.
Up until (I suspect) the upgrade to RouterOS 7 it was working, but something has changed and the MSCHAP challenge is no longer working.

For background, I had used a number of guides that firstly use the FreeIPA - AD trust setup (don’t need AD, just run the AD specific setup as it generates the NTHASH needed for mschap challenge) and then set up a service account with a specific permission to access the NTHASH as FreeIPA doesn’t allow anonymous browsing.

Using radtest direct on the freeradius server, the MSCHAP challenge works. But now it fails with the Mikrotik RADIUS client. If I get to the bottom of it I’ll update this post.

FredNurk · April 1, 2023, 10:33am

Looks like something’s changed on the Mikrotik end, I’m now running RouterOS 7.7 and login against a FreeRadius server again works.