Hello, I have some time trying to configure a Mikrotik unsuccessfully as Access Point to replace a D-Link DAP-2553 to a server using Microsoft’s Radius (IAS) to authenticate clients using PEAP. I looked for solutions in the forums and although I see many post in different years, still no solution. To study the case I have captured packets with Wireshark to see the differences between the D-Link and the Mikrotik. From what I’ve seen to coincide with what they have seen others before me:
Because some fields are not specified in the package, mainly NAS-Port and NAS-Port-Type, Microsoft Radius Server is unable to authenticate the user (in my case also used a certificate installed on laptops clients)
<< Mikrotik >>: Radius Protocol
Code: Access-Request (1)
Packet identifier: 0xb (11)
Length: 230
Authenticator: f546e0cfc4d68da29efd3877ec6ffb73
Attribute Value Pairs
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1400
AVP: l=18 t=User-Name(1): DOMAIN\USER
AVP: l=10 t=Acct-Session-Id(44): 82000003
AVP: l=61 t=Acct-Multi-Session-Id(50): 00-0C-42-69-E8-49-B4-74-9F-78-1E-ED-82-00-00-00-00-00-00-03
AVP: l=19 t=Calling-Station-Id(31): B4-74-9F-78-1E-ED
AVP: l=26 t=Called-Station-Id(30): 00-0C-42-69-E8-49:DOMAIN
AVP: l=23 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80): fee9de6ce49eedc4f5075e626c3d4f8a
AVP: l=17 t=NAS-Identifier(32): 5c:d9:98:c3:4a:8a
AVP: l=6 t=NAS-IP-Address(4): 172.29.62.31
<< D-Link >>: Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x2 (2)
Length: 191
Authenticator: 0e5164e629a2524f89604261fb347ada
Attribute Value Pairs
AVP: l=18 t=User-Name(1): DOMAIN\USER
AVP: l=6 t=NAS-IP-Address(4): 172.29.62.31
AVP: l=19 t=NAS-Identifier(32): 5c:d9:98:c3:4a:8a
AVP: l=6 t=NAS-Port(5): 0
AVP: l=26 t=Called-Station-Id(30): 5C-D9-98-C3-4A-8A:DOMAIN
AVP: l=19 t=Calling-Station-Id(31): B4-74-9F-78-1E-ED
AVP: l=6 t=Framed-MTU(12): 1400
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=24 t=Connect-Info(77): CONNECT 11Mbps 802.11b
AVP: l=23 t=EAP-Message(79) Last Segment[1]
AVP: l=18 t=Message-Authenticator(80): 9ddf38719f6ebbd1d82f08b34bf223fe
I think that authentication can not continue because missing the following fields in the packet that is generated in passtrought mode:
NAS-Port=0
NAS-Port-Type=19
Connect-Info=CONNECT 11Mbps 802.11b
Can someone fix the problem definitely?
Other users with the same problem:
2007: http://forum.mikrotik.com/t/need-seamless-peap-authentication/15761/1
2009: http://forum.mikrotik.com/t/eap-vs-peap-ias-radius/27529/1
2010: http://forum.mikrotik.com/t/peap-help-screenshots/38062/1
2010: http://forum.mikrotik.com/t/mikrotik-and-ias-please-help/42004/1