I have a problem. I try to connect MikroTik RB951G-2HND with CiscoSecure ACS 4.2 (RADIUS Server).
I want to authenticate users in HTTPS via ACS.
Not wireless.
I did the following:
My ACS is 100% working server. I’ve added there my MikroTik router as a RADIUS client device.
In my MikroTik i’ve configured RADIUS section (Service, Address, Secret, Authentication Port and Accounting Port) and System->Users section AAA button (Use RADIUS: ON, Accounting, ON, Default Group: FULL)
When i try to login, i see page 404.
But:
At my ACS i see: “12/06/2014 10:16:59 Authen OK…”
At my MikroTik i see:
Requests 8
Accepts 5
Rejects 0
Resends 0
Timeouts 3
I’m not 100% sure I understand what it is you want to do. You want your MikroTik to throw up a login screen in the browser and authenticate wireless users first before letting them on the network? If so, that’s called “hotspot.” Did you set up the Hotspot service?
What did you select for Service? Hotspot, or something else?
System → Users → AAA is only for if you want to use RADIUS to authenticate logins to the MikroTik itself (e.g., Winbox, telnet, SSH, WebFig), not if you want to use RADIUS to authenticate users of the network.
Once you have configured Hotspot to your liking and have tested it and made sure it works with locally-defined users (no RADIUS), then try adding RADIUS on top of that. You will have to make sure that the “hotspot” service is checked for each RADIUS server, and then go to the “RADIUS” tab for your Hotspot Server Profile and check the “Use RADIUS” checkbox.
You do not need to enable RADIUS at System → Users → AAA unless you also want to use RADIUS to authenticate logins to the MikroTik itself, for administration and programming. In that case the “login” service also needs to be checked for each RADIUS server.
Oh, sorry! No, my task is much more simplier!!
I want to authenticate users in Telnet/HTTP console of MikroTik via RADIUS (Cisco ACS).
And what is interesting, it looks like i have a correct configuration.
I think so because using this config i can authenticate at Telnet/SSH console of MikroTik.
And it works, i see it in log files:
dec/07 01:22:50 system,info,account user ada logged in from 192.168.78.254 via telnet
But!! When i try to authenticate at HTTP/HTTPs console of the same device, in log files i see:
dec/07 01:25:31 system,info,account user ada logged out from 192.168.78.254 via web
But, however it says that login success, it does not so!!
After i enter login and password, i press LOGIN button and next i see error message “The page not found”!!
More that, every second LOGIN suspends! I see the Login screen with running status bar. That’s all..
What is this?
The only thing that I can think of is that I know that telnet/SSH use PAP, but Winbox (and I suspect WebFig, too) uses CHAP. So you must make sure that your RADIUS server is handling CHAP requests from the MikroTik, too.
Hmm.. I tried to debug auth process and it looks like this is the reason of my problem.
But i don’t understand, why it happens? What to do?
My RADIUS server (Cisco ACS) completely supports both PAP and CHAP protocols..
Since I have never used Cisco ACS and have no familiarity with the product, I really couldn’t say. My only thought is that you might not be storing the passwords in your database as plain-text. CHAP requires that you store the full password either as plain-text or with encryption that is reversible, instead of as a one-way hash, because the RADIUS server has to actually know the password for that protocol to work.
What DB are you using for the user credential store? Is it local users on the ACS or Active Directory?
Per the wiki and my experience PAP is used for SSH, Telnet, and Webfig. CHAP is used for Winbox. If AD is your backing store CHAP will not work with ACS. You should be able to get in with the other methods though. Have you looked at your RADIUS logs in ACS to see what it indicates the issue is?
Where does it say PAP is used for WebFig (citation)? I did a packet capture of a WebFig login and the Access-Request seemed to include CHAP bits in it.
Even if you enable “reversible encryption”? We don’t use Cisco ACS, but we do have a RADIUS server backed by AD, and when “store password using reversible encryption” is enabled for a specific account, that account can login via Winbox just fine.