Radius - wireless login - to Active Directory

Cvan · January 23, 2019, 11:51pm

Has anyone had success using MT as a Radius client connecting to NPS (Radius Server) with Active Directory??

I think I am close to getting it working, just missing something.. I have radius ppp working with VPN, but not radius wireless.

I have a network policy setup on Windows 2012 server for authentication with 802.11. Cant seem to send MSCHAP v2 over with the MT wireless profile…

Any suggestions?

How do you configure your MT wireless security profile authentication types for this?

My MT is mAP lite 6.40.8

Cvan · January 24, 2019, 11:25pm

Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!

pcunite · January 25, 2019, 1:05am

No harm in sharing it if you can. I don’t use this feature, but might someday.

Cvan · January 25, 2019, 2:32am

MIKROTIK MAP LITE
In wireless security profile:

GENERAL tab
WPA EAP / WPA2 EAP
unicast/group ciphers aes ccm / tkip

RADIUS tab
nothing checked

EAP tab
EAP Methods = passthrough
TLS Mdoe: dont verify cert
TLS Cert: none

ACTIVE DIRECTORY (2012 server)
Dashboard manager, added Active Directory Certificate Services / Certification Authority / * ALL certificate options

NPS (Network Policy Server)

Added the MT as a RADIUS client, etc..
Added Network Policy:
Condition: added 802.11 NAS Port type
Condition: added Windows Groups (Domain Users)

Constraints Tab:
Auth method: EAP (PEAP)
Auth method: MS-Chap-V2 checked (Not needed)
Everything else default

Tested and Working CLIENT DEVICES:

Windows 10:
Added a new wifi network connection with settings:
Network name: Name of your SSID on MAP Lite
Security Type:WPA2-Enterprise AES
EAP Method: EAP (PEAP)
Auth Method (EAP-MSCHAP v2)

Linux (Debian Jessie)
/etc/NetworkManager/system-connections/wifi connection

key-mgmt=wpa-eap
phase1-peapver=0
phase2-auth=mschapv2
*********** system-ca-certs=FALSE **********

iPhone
Prompted for username and password; then prompted for CA and click trust cert and that was it

hchituwu · August 22, 2019, 11:45am

Please may you share the details, i am trying to authenticate my wifi users on mikrotik AP using the AD via the NPS server. please please assist.

Cvan · August 29, 2019, 1:20am

Still works for me.. What is your issue?

However, I never did get the Framed-Pool attribute to work for Radius Wifi connections.
The attribute gets returned by NPS as I can see it in the log; but the client never gets assigned an IP address from the MT address pool that is referenced by framed-pool attribute…

TroyQ · November 4, 2022, 12:00pm

Znevna:

macsrwe:

Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!

MIKROTIK MAP LITE
In wireless security profile:

GENERAL tab
WPA EAP / WPA2 EAP
unicast/group ciphers aes ccm / tkip

RADIUS tab
nothing checked

EAP tab
EAP Methods = passthrough
TLS Mdoe: dont verify cert
TLS Cert: none

ACTIVE DIRECTORY (2012 server)
Dashboard manager, added Active Directory Certificate Services / Certification Authority / * ALL certificate options

NPS (Network Policy Server)

Added the MT as a RADIUS client, etc..
Added Network Policy:
Condition: added 802.11 NAS Port type
Condition: added Windows Groups (Domain Users)

Constraints Tab:
Auth method: EAP (PEAP)
Auth method: MS-Chap-V2 checked (Not needed)
Everything else default

Tested and Working CLIENT DEVICES:

Windows 10:
Added a new wifi network connection with settings:
Network name: Name of your SSID on MAP Lite
Security Type:WPA2-Enterprise AES
EAP Method: EAP (PEAP)
Auth Method (EAP-MSCHAP v2)

Linux (Debian Jessie)
/etc/NetworkManager/system-connections/wifi connection

key-mgmt=wpa-eap
phase1-peapver=0
phase2-auth=mschapv2
*********** system-ca-certs=FALSE **********

iPhone
Prompted for username and password; then prompted for CA and click trust cert and that was it

Worked 100% PERFECT! THANK YOU!!!