I am trying to figure out, is it possible to use a RADIUS server with MikroTik based VPN server for authenticating VPN clients?
What is confusing me is that how will it actually work? Because each PPP Secret under MikroTik is assigned a profile, through which we assign DNS server to the client. We also assign server-side of the VPN connection an IP address through the “Local Address” option in “PPP Secret” or “Profile”. How can we do this when using a RADIUS server? Is it possible to use RADIUS server for MikroTik VPN authentications at all?
Please share your insights on how to achieve this.
through the default PPP profile with an address pool
under RADIUS configure a server for PPP usage, configure the default PPP profile and enable that in the specific VPN (e.g. L2TP) server settings while under the PPP authentication and account check ‘use RADIUS’.
Magchiel:
Your reply helped me in getting it to work as I wanted. It is working perfectly now. However, I am wondering is it possible to use RADIUS server authentication for MikroTik OpenVPN as well?
hi, sorry I don’t use OpenVPN with Mikrotik; the use case for me to use OpenVPN requires UDP; Mikrotik’s OpenVPN implementation is only limited to TCP so I usually resort to other means. Usually when someone tells me they want to use OpenVPN I recommend to use a separate Linux based server for VPN purposes. With Mikrotik, the L2TP + IPsec is stable, fast and secure enough to serve my needs with SSTP as an alternative SSL-based solution.
However from previous endeavours with OpenVPN (outside Mikrotik) I know that it requires configuring RADIUS through PAM (on Linux) so I could imagine that Mikrotik uses a similar approach to integrate this with the Mikrotik AAA system to enable this feature. This and this posts would at least indicate to me that one could get this working but maybe you have to tweak something in your RADIUS server for authentication methods.
Authenticating OpenVPN through username and password in addition to/instead of through certificates also requires setting some options both server and client side i.e. client-cert-not-required, username-as-common-name and auth-user-pass. Look into the OpenVPN documentation for details on these options, it’s usually excellent. In addition there are plenty of recipes available on the internet on this topic.
I would recommend using a structured approach in trying to tackle this problem and first try to establish an OpenVPN connection using a local PPP secret before attempting to connect with a RADIUS account that is known to be working on the other protocols. You can then at least isolate in which part of the chain the problem lies and work your way to a solution using the logs of MT and your RADIUS server.
No problem. Hope this helps to resolving your issue.