Hi,
I’m facing an issue where Radius server (which is configured on WS 2019 using NPS role) seems can’t authorize AD users to use VPN. Here is my current configuration:
Mikrotik, version is latest at the time I am writing this post (6.47.8):
Check attachment mikrotik.png
What I noticed is that if I delete domain under RADIUS, request will be forwarded to RADIUS server. If I set domain such as contoso.local or contoso - these requests are not forwarded to RADIUS server and requests number in status section doesn’t change. In Mikrotik log what I get is user authentication failed - radius timeout. I didn’t figured this out why.
Windows server 2019 standard version at the time I am writing this post (Version 1607, OS build 14393.4104) :
check attachment NAP1-3.png
Specific user is a member of VPN group. If I try to connect to VPN from Windows 10 client, it gives me an error username or password is incorrect or unsupported protocol is used blah blah. What is strange e.g. if under that specific user I change dial-in option from control access via NPS to allow access - I am able to connect without any issues. But since I have near 50 users in AD I don’t want to set this option for every user. Besides there is clearly an issue in configuration if it doesn’t work as it should be.
Through digging I found that if under Mikrotik RADIUS setting I set no domain and under AD user dial-in option NAP is set to control over NPS, then request is forwarded to NPS server and what I get is error code 48 or 49. Which basically means, No conditions met under CRP or NP in NPS.
So I am confused with this since I don’t know what conditions aren’t met under CRP or NP. I attached CRP and NP images for better understanding. Can anyone point what am I doing wrong?
