IPSec VPN xauth Radius

RouterOS General
1

Hello all,

MK In RouterOS 6.38.1 added new features like:
*** ipsec - added IKEv1 xauth user authentication with RADIUS “/ip ipsec user settings set xauth-use-radius=yes”;
*** radius - added IPSec service (cli only);

Earlier I have been configured L2TP/IPSEC VPN authentication using mikrotik built-in radius server called User Manager. All configuration was done something like shown in this link: [u]https://aacable.wordpress.com/tag/account-expired.[/u] This configuration is working.

Now I try to do the same thing, but just with IPsec and new software features.
User authentication isn’t working, when I add statically users in /ip ipsec user - users are authenticating and all is working.

Why with the same UserManager configuration L2TP/IPSec working but IPSec isn’t???

IPsec log:
_> > ipsec,info respond new phase 1 (Identity Protection):

x.x.x.x [500]<=>x.x.x.x [500]
ipsec,info ISAKMP-SA established
x.x.x.x [500]-x.x.x.x[500]
spi:76817ae07f6683da:1edd916b089054aa
ipsec,info Xauth login failed for user: 123_

User-Manager log:
customer=admin user-orig=“123” calling-station-id=“\C0\E0N\E2\C4\12\86\ED” host-ip=x.x.x.x status=accounting-failure description=“missing Acct-Session-Id attribute”

2

There seems to be a bug with “XAuth Use Radius”
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server’s logs I see a “Accounting Stop” request instead of “Access Request” with a wrong secret.

3

Hello,

Yesterday I sow that in 6.39rc26 software is:
*) ike1 - added more Radius accounting attributes - “event-timestamp”, “acct-session-id”, “acct-authentic”, “acct-session-time”;
*) ike1 - fixed responder xauth trailing null;

I try do tests with this software. Situation is intresting.

All configuration parameters was the same like before.

  1. If I chose in IPsec Users just XAuth Use Radius (no statically users added) - VPN Access Manager show (user authentication error). But log from MK UserManager looks like that:

customer=admin user-orig=“123” nas-port=1 nas-port-type=virtual nas-port-id=“\00\00\00\02” calling-station-id=“x.x.x.x” host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:02:15

And watching from MK User Manager side there are not active sessions and users.

  1. If I chose in IPsec Users XAuth Use Radius and add statically user - VPN Access Manager show (tunnel enabled). Log from MK UserManager looks like that:

customer=admin user-orig=“123” nas-port=1 nas-port-type=virtual nas-port-id=“\00\00\00\03” calling-station-id=“x.x.x.x” user-ip=x.x.x.x host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:05:12

And watching from MK User Manager side, we can see active session and user. Looks like all should working.

Then I create profile which was valid 5min, after that time created user should stop working (can’t do VPN connections). When time expired I try to connect - tunnel was enabled and all was working. UserManager in this situation can’t block user access, add limitations to that user, … .

User Manager or XAuth Use Radius feature is working abnormal.
Why is like that? Something is still underdone with this software.

4

me too

There seems to be a bug with “XAuth Use Radius”
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server’s logs I see a “Accounting Stop” request instead of “Access Request” with a wrong secret.

5

xauth radius problem will be fixed in v6.39rc30