I have a Hotspot configured for connecting WiFi clients. I want to use MAC based authentication for laptops (in combination with HTTPS for others) in our enterprise against RADIUS server, but with no success. I use Windows NPS RADIUS server and the information base is Active Directory.
RADIUS server doesnt want to match my username (which is MAC) / password, thus unable to authenticate. I use password reversible encryption for whole domain. I have created domain account named 08:3E:8E:A9:84:17, despite I shouldn´t use colon in username, but only for pre-Win2000 logon name, which (I believe) is not the problem. Password I set is certainly the same I set in Mikrotik hotspot config.
HTTPS hotspot authentication works fine. Here is RADIUS configuration (first Connection Request Policy, second Network Policy, both are the first policies in the list and should match):
radius1.jpg
radius2.jpg
Here is a dump from Wireshark:
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xfa (250)
Length: 214
Authenticator: 8151278433523c433805e1e629b057be
[The response to this request is in frame 6682]
Attribute Value Pairs
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=19 t=Calling-Station-Id(31): 08:3E:8E:A9:84:17
AVP: l=14 t=Called-Station-Id(30): hotspot-wifi
AVP: l=14 t=NAS-Port-Id(87): vlan240-wifi
AVP: l=19 t=User-Name(1): 08:3E:8E:A9:84:17
AVP: l=6 t=NAS-Port(5): 2150630423
AVP: l=10 t=Acct-Session-Id(44): 80300417
AVP: l=6 t=Framed-IP-Address(8): 10.7.240.54
AVP: l=12 t=Vendor-Specific(26) v=MikroTik(14988)
AVP: l=18 t=CHAP-Challenge(60): 7827e75430975fa65cc4ae69dff95a50
AVP: l=19 t=CHAP-Password(3): e15f143e6162d15a3985919fb11f677079
AVP: l=6 t=Service-Type(6): Login(1)
AVP: l=32 t=Vendor-Specific(26) v=Wireless Broadband Alliance Ltd (previous was 'Wi-Fi Alliance')(14122)
AVP: l=7 t=NAS-Identifier(32): aorta
AVP: l=6 t=NAS-IP-Address(4): 10.7.7.1
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xfa (250)
Length: 20
Authenticator: d60c3a1f39bda08c347fa749bd38eb52
[This is a response to a request in frame 6645]
[Time from request: 0.015629000 seconds]
Windows log of RADIUS server:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: 08:3E:8E:A9:84:17
Account Domain: GYMLIT
Fully Qualified Account Name: GYMLIT\08:3E:8E:A9:84:17
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: hotspot-wifi
Calling Station Identifier: 08:3E:8E:A9:84:17
NAS:
NAS IPv4 Address: 10.7.7.1
NAS IPv6 Address: -
NAS Identifier: aorta
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 2150630423
RADIUS Client:
Client Friendly Name: aorta
Client IP Address: 10.7.7.1
Authentication Details:
Connection Request Policy Name: Wi-Fi
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: lenka.gymlit.cz
Authentication Type: MD5-CHAP
EAP Type: -
Account Session Identifier: 3830333030343137
Logging Results: Accounting information was not written to any data store.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.