how to change mikrotik radius authentication method?

yassermzh · March 13, 2012, 8:38pm

Is there any way to change RADIUS authentication method from CHAP to something else.

Since I’m using Cisco ACS5.2 and Windows AD which it seems can’t permit CHAP method by default, and I can’t enable CHAP-based authentication in AD. So maybe I can change Mikrotik RADIUS authentication method from CHAP to PAP which I’ve test using NTRadPing Radius client and works fine.

Thanks,
Yasser

joshaven · March 13, 2012, 9:01pm

RADIUS doesn’t use CHAP. Your PPPoE, or other service is what is using CHAP and yes, there is a checkbox. If your talking about PPPoE Client then uncheck chap and pap under the dial-out tab of the PPPoE Client…

vik1988 · March 14, 2012, 4:17am

I think you are talking about User Authentication via ACS/Windows AD.

Generally Winbox user authentication uses CHAP to authenticate but Telnet doesn’t not. So if you want to login to your router via Winbox then you have to enable chap on Cisco ACS. and Import your AD users to ACS.

yassermzh · March 14, 2012, 5:37am

Yes, I want to authenticate users login to Winbox using Cisco ACS through AD external database. Thanks for the replies. It seems there is no way…

By the way, I have found some guide on how to enable CHAP on AD, but no success:

Prepare Active Directory when using CHAP

Globally:

Admin Tools - Group Policy Management

Choose your forest, domain and then right click your Default Domain Policy and choose Edit.

Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → Store passwords using reversible encryption = Enabled.

Per User:

Open your domain user’s properties and checking Store password using reversible encryption on the Account tab.

Note: Passwords must changed/reset for reversible encryption to apply

vik1988 · March 14, 2012, 6:22am

yassermzh:

Yes, I want to authenticate users login to Winbox using Cisco ACS through AD external database. Thanks for the replies. It seems there is no way…

By the way, I have found some guide on how to enable CHAP on AD, but no success:

Prepare Active Directory when using CHAP

Globally:

Admin Tools - Group Policy Management

Choose your forest, domain and then right click your Default Domain Policy and choose Edit.

Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy → Store passwords using reversible encryption = Enabled.

Per User:

Open your domain user’s properties and checking Store password using reversible encryption on the Account tab.

Note: Passwords must changed/reset for reversible encryption to apply

You need to enable CHAP on Cisco ACS as well by the way Is your authentication is working fine with Cisco ACS local ?user ??

yassermzh · March 14, 2012, 6:31am

Yes, I’ve enabled CHAP on ACS, and everything is fine with “Local users” database. But I want to use “AD” as my external database in ACS.

yassermzh · March 14, 2012, 7:34am

Generally Winbox user authentication uses CHAP to authenticate but Telnet doesn’t not. So if you want to login to your router via Winbox then you have to enable chap on Cisco ACS. and Import your AD users to ACS.

Thanks. I tried Telnet, and it worked. It authenticated with AD using PAP. But Winbox uses CHAP, and still no way to fix it.

vik1988 · March 14, 2012, 12:15pm

I found this..

http://www.techrepublic.com/article/configure-cisco-routers-to-use-active-directory-authentication-the-windows-side/6180954

http://support.microsoft.com/kb/926170