RADIUS user authentication

mpreissner · January 29, 2015, 10:06pm

I’m trying to set up my 750G and my CRS226 to use RADIUS for user authentication. I’ve followed what little there is in the wiki on it, but I can’t seem to get the CRS to send any packets to my RADIUS server.

Currently, I’m using FreeRadius to authenticate against Active Directory. I can successfully authenticate an AD user through mschap, so I know that side of things is working correctly.

Running a packet capture on my RADIUS server shows no incoming packets from my CRS when I try to authenticate. I have user aaa set to use RADIUS, and I’ve defined the RADIUS server under the Radius section. Can anyone help me figure out what’s going on?

Oh, and I’m running 6.19 at the moment. Thanks!

NathanA · January 30, 2015, 7:11am

By “user authentication” I assume you mean logins to the router’s management (Winbox, Webfig, SSH, telnet, etc.).

You must have “service=login” set for any RADIUS server you have defined that you want user AAA to send queries to.

Also, unlike other services that can take advantage of RADIUS AAA in RouterOS, for user logins, the authentication protocol is not selectable. When it processes a login made via telnet or SSH, the router will try to authenticate to RADIUS using PAP. If you login via Winbox or Webfig, the router will try to authenticate to RADIUS using regular ol’ CHAP (and not either MSCHAP variant). There is nothing you can do to change this. So your RADIUS server must be configured to support both PAP and CHAP if you want all possible management avenues to be checked against external AAA.

– Nathan

mpreissner · February 3, 2015, 11:50pm

I had the service=login set, but I still wasn’t seeing any traffic to my RADIUS server when I tried to authenticate. That’s kind of a pain that the auth type isn’t selectable…I use my RADIUS server as a proxy to Active Directory, and I don’t like using insecure protocols.

So how about it, MikroTik developers…? Can you please fix your RADIUS implementation to make the auth type selectable? Or maybe just build in LDAP support so we can authenticate directly against AD and other LDAP servers? While you’re at it, how about securing SwOS with a RADIUS option? Or at least an https server to encrypt connections to the web interface?

It seems really sad to me that in today’s era of heightened security awareness, that MikroTik products are so far behind the curve with simple security mechanisms.

NathanA · February 4, 2015, 12:06am

Whether the CHAP variants are more desirable because they are more secure seems to be a matter up for debate. Sure, it hashes the secrets before they are transmitted over the wire, but on the other hand, you are required to store your passwords on AD with reversible encryption in order to use CHAP, which many people don’t like because that means that ALL passwords are compromised if the AD server is compromised, rather than just having select passwords cherry-picked out of the air whenever authentication takes place.

So in one implementation, passwords are transmitted plain-text, but are stored as an non-reversible hash in the user database. In the other implementation, password hashes are transmitted, but the actual passwords are known by the user database. You have to store the actual password SOMEwhere, so the question is which is preferable from a security standpoint, and I don’t think there is a clear consensus on this point yet.

Perhaps what needs to happen is for someone to develop yet another protocol: one that doesn’t hash the passwords before transmission but encrypts them with a certificate or pre-shared key or something. That would be better than nothing but wouldn’t require actual passwords to be stored in the database. (Doesn’t the RADIUS secret serve as a pre-shared key that is used for rudimentary encryption between RADIUS client and server anyway, though? So maybe PAP already is this protocol that I’m describing.)

As for your problem with not seeing any packets coming from RouterOS headed toward your RADIUS server, what do the stats for the RADIUS servers that you defined on the CRS show? There should be numbers for requests transmitted as well as how many of those requests resulted in accepts, rejects, or timeouts.

– Nathan

mpreissner · February 4, 2015, 11:18pm

I only have one request and one accept, which occur when I first set up the RADIUS server from the CRS. My debug from the RADIUS server shows it as an accounting request. If I try to ssh into the CRS, the request never even shows as an attempt in the RADIUS statistics on the CRS, nor does my RADIUS server receive the request.

NathanA · February 5, 2015, 12:01am

You aren’t, by any chance, logging in as a user that is defined both locally and on the RADIUS server, are you? Unlike some other platforms that will only check the local user database if all of the RADIUS servers prove to be unreachable, on RouterOS, a local user always trumps a RADIUS user. If you want to define a system-wide ‘admin’ password, you first have to delete every local ‘admin’ user on every RouterOS router.

– Nathan

DLNoah · February 5, 2015, 1:24pm

Have you verified that there is either no “source IP” set within the RADIUS server definition or that the “source IP” exists on an active interface within the system? Also, I would run the RADIUS server in debug mode to see if it’s seeing the traffic coming in and throwing it away because it doesn’t match any defined client (if your MT’s source IP doesn’t match with the RADIUS server’s clients.conf list, the server will throw it away without making a log entry that shows under normal logging).

As referenced by NathanA, Winbox/Webfig authentication via RADIUS won’t work unless your AD structure is storing the password with reversible encryption.

NathanA · February 5, 2015, 1:40pm

mpreissner already mentioned that the RADIUS client stats on RouterOS show that it is not generating any traffic to the server other than the one accounting packet that he mentioned. If it was generating traffic that the RADIUS server was rejecting for whatever reason, then the “requests” counter would be ticking up as would the “resets” and “timeouts” counters, but this is not happening.

I am more than willing to admit that I could be missing something, but there are only three reasons I can think of why RouterOS would not be generating RADIUS access requests:

His RADIUS client(s) don’t have “service=login” set, which he already verified they do.
He doesn’t have “/user aaa set use-radius=yes” set.
He is trying to login with a username that exists both in AD as well as locally on the router, and the router is checking the local credentials.

– Nathan

DLNoah · February 5, 2015, 2:41pm

Ah, yeah, guess I misread his post as the log on RADIUS being what’s not showing requests (which, in my experience, can happen if the RADIUS server is disregarding traffic as not being from an authorized client).

Given that he’s stated that “/user aaa use-radius” was enabled, I suspect the problem is either the 3rd option you detailed (username overlap) or that the source IP on the RADIUS Server definition is not an active IP in the system (which will cause the RADIUS Server definition to be ignored, but should also cause no accounting packet to be sent).

mpreissner · February 7, 2015, 2:32pm

So my CRS only has one IP address configured on it, and that address is defined as a RADIUS client. Service is set to login, and under AAA, I have it set to use RADIUS. The user with which I am trying to authenticate does not exist as a local user on the CRS. Once I get the CRS figured out, I plan to set up RADIUS auth on my router, in which case I’ll have to set the source IP field there since it has so many interfaces, but that’s not an issue on the CRS.

diegodelafuente · September 13, 2015, 11:50pm

Hi. This is an old post, but I’ having exactly the same issue.
I’ve configured Radius on my Mikrotik router with radius auth:
use-radius: yes
accounting: no
interim-update: 0s
default-group: read
exclude-groups:

Radius Server configuration:
0 service=login called-id=“” domain=“DIMAD” address=192.168.6.6 secret=“xxxxxx” authentication-port=1812 accounting-port=1813 timeout=300ms
accounting-backup=no realm=“”

After recording this configuration, I can see in the windows 2008 Radius log file this line
192.168.33.2,09/13/2015,16:04:35,IAS,PRIMARY-FS,40,7,32,MikroTik,41,0,4,192.168.33.2,4108,192.168.33.2,4116,0,4128,Microtik CME,4155,2,4136,4,4142,0

In Mikrotik radius counters I can see:
Requests 1
Accepts 1

In Windows 2008 R2, I’ve added the mikrotik as a radius client whit Ip 192.168.33.2
And I’ve added a Network policy, enabling Chap, PAP and SPAP
Service-Type=Login

Every time I tried to log I saw:
echo: system,error,critical login failure for user die1fue from 192.168.19.50 via web

I did not see any log in the log file in server 2008r2.
The counters did not grow.

I do not have a local user die1fue in the mikrotik local user database.

Some help ?

Regards, Diego