L2TP/IPSec local users work but not RADIUS (IAS) users

timk · May 9, 2013, 2:26pm

Hi,

I am using L2TP/IPSec successfully for users defined locally:

/interface l2tp-server server set authentication=mschap2 default-profile=default-encryption enabled=yes
/ppp secret add name=testuser password=removed profile=default-encryption service=l2tp

This works without any problems.

However using RADIUS authentication doesn’t appear to be working properly:

/radius address=10.0.0.x secret=removed service=ppp
/ppp aaa set use-radius=yes

MikroTik side:

23:52:14 l2tp,info first L2TP UDP packet received from x.x.x.x
23:52:14 l2tp,ppp,info <l2tp-0>: waiting for call...
23:52:14 l2tp,ppp,info <l2tp-0>: authenticated
23:52:15 l2tp,ppp,info <l2tp-0>: connected
23:52:15 l2tp,ppp,info,account testuser logged in, 10.0.0.203
23:52:18 l2tp,ppp,info,account testuser logged out, 3 107 117 9 12
23:52:18 l2tp,ppp,info <l2tp-testuser>: terminating... - Encryption negotiation rejected
23:52:18 l2tp,ppp,info <l2tp-testuser>: disconnected

RADIUS (IAS) side:

Description:
User testuser was granted access.
 Fully-Qualified-User-Name = x.corp/Users/testuser
 NAS-IP-Address = 10.0.0.x
 NAS-Identifier = MikroTik
 Client-Friendly-Name = MikroTik
 Client-IP-Address = 10.0.0.x
 Calling-Station-Identifier = x.x.x.x
 NAS-Port-Type = Virtual
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>

If I use PPTP then RADIUS authentication works fine, but obviously that is not the solution!

Cheers

timk · June 17, 2013, 2:46am

Hi,

The solution is to allow “No encryption” from the Encryption tab of the IAS policy. The thing that caught me out though is you have to restart the service for the change to take effect.

Cheers