L2TP with Radius Authentication

abulat · February 15, 2021, 11:40am

Hi everybody,

I have one problem with VPN L2TP. I created local users on router and I can successfully to connect at VPN L2TP, but I tried to configure NPS from a lot of source and cant make authorization and is written Authentication Failed - Radius Timeout.

Could you please help me please with clear guide how to setup NPS for authentication of users who trying to connect at L2TP ?

Thanks in advance.

karlisi · February 15, 2021, 1:18pm

I used this one, all is working
https://mivilisnet.wordpress.com/2018/10/01/how-to-integrate-your-mikrotik-router-with-windows-ad/

abulat · February 15, 2021, 1:25pm

Hi,

I tried 100% exactly this step on Windows server 2019 and nothing working

karlisi · February 15, 2021, 2:01pm

Also this link from comments on original article
https://mivilisnet.wordpress.com/2019/02/01/when-mikrotik-vpn-with-nps-authentication-stops-working/

abulat · February 15, 2021, 2:10pm

Also doesnt work

karlisi · February 15, 2021, 2:16pm

Without RADIUS works? Something in Windows Security Events?

abulat · February 15, 2021, 2:33pm

Without Radius its work with local users on router

In Event is written : ID 49 The connection request did not match a configured connection request policy, so the connection request was denied by Network Policy Server.

On Mikrotik I have Request and Reject in RADIUS setting

karlisi · February 15, 2021, 3:05pm

So, Mikrotik is connecting to NPS, but policies not match. The only suggestion is, check all settings thoroughly step by step on both sides, especially on NPS. Or start from scratch.

abulat · February 15, 2021, 3:11pm

I Tried to do 10 time from scratch and nothing done. On Radius Client Setting Address IP should be the router IP and not from AD correct ?

mjezierski · February 15, 2021, 3:34pm

On the Conditions → Authentication Methods select “Unencrypted Authentication (PAP/SPAP)” and “Encrypted Authentication (CHAP)” and retest. I have Windows Server 2016 working with Mikrotik Dot1X using RADIUS with PAP and it works well.

Yes I know it’s unencrypted but I’m doing MAC Address authentication on an internal network.

abulat · February 15, 2021, 3:41pm

Not helped

tdw · February 15, 2021, 3:47pm

You can only do PAP or MSCHAPv2 against AD, there is no way CHAP can work.

The ‘Ignore user dial-in account properties’ box is not ticked in your screenshots. I’m not a Windows expert, but without this I expect you have to apply a policy to the user accounts as the default is not to permit dial-in.

abulat · February 15, 2021, 3:53pm

I tried with and without this box and nothing helped

karlisi · February 15, 2021, 3:59pm

What is on Mikrotik?

abulat · February 15, 2021, 4:01pm

all is configured correctly on mikrotik (Radius, ACL) but still receive this log user authentication failed

karlisi · February 15, 2021, 4:05pm

Sorry, no idea. On Mikrotik my only error was incorrect src-address in radius settings, there should be router’s IP address.