Radius

tanas · March 9, 2005, 2:49pm

A use Mikrotik Router for wireless user access (2.8.23). Client is Windows XP, authenticate through PPTP or PPPoE on wireless interface. When I connect with local account and ecryption ON (on XP) there is no problem. But when I try to authenticate with radius Radiator radius server (http://www.open.com.au), problem is that it works only if I turn off encryption on Windows XP client. Logs on radius server show that he accept request in both scenario, but with encryption turn on Mikrotik do not allow connection. I suggest that problem is with access accept packet from radius server to Mikrotik. Some suggestion?

cmit · March 9, 2005, 2:51pm

Do you have your passwords in the RADIUS database in clear text or encrypted?
Logins with encrypted passwords (MSCHAP) require the password to be in clear text on the RADIUS server…

tanas · March 9, 2005, 2:56pm

Password and users are from Windows 2003 AD Domain.

cmit · March 9, 2005, 3:18pm

Ouch - have to give up on this one, then. Have no experience with Win2K3 AD. Perhaps someone else on the forum?

savage · March 9, 2005, 7:42pm

YAY. Finally I can manage to make a posting… MT having some probs with their web site it seems…

Firstly, from what I am understanding, you are using Radiator Radius. Radiator != MS IAS (Internet Authentication Services). You are more than likely just using Radiator Radius to authenticate customers via LDAP to a Win2K3 AD.

To answer your question, You need to send the correct Attributes with your Authentication Accept mesasge back to the MT Router. You need to have at least the following:

MS-MPPE-Encryption-Policy = 1 (Optional Encryption)
MS-MPPE-Encryption-Types = LS (High & Low Encryption support, i.e. 64bit or 128bit encryption).

All these attributes are documented in the relavant RFCs… Just read them up and it will all be answered.

A quick search in the archives, also revealed http://www.mikrotik.com/forum/viewtopic.php?t=1281&highlight= … Which, also happens to be posted by me, but what the heck.. It’s still what you want Just search… heh

tanas · March 10, 2005, 1:33pm

Thank you for reply
Problem was with radius server, he need one optional parameter. Here is detail from radius manual
6.18.43 AutoMPPEKeys
Some NASs, PPoE, VPDN and wireless clients require MPPE keys in the Access-Accept message. If this AuthBy is doing MS-CHAP V1 authentication with a plaintext password, then setting this optional parameter will force Radiator to automatically reply with MS-CHAP-MPPE-Keys computed from the plaintext password. If this AuthBy is doing MS-CHAP V2 authentication with a plaintext password, then setting this optional parameter will force Radiator to automatically reply with MS-MPPE-Send-Key and MS-MPPE-Recv-Key computed from the plaintext password.Has no effect with encrypted passwords. Has no effect unless there is a User-Password check item for theuser. Defaults to no automatic MS-CHAP-MPPE-Keys.

savage · March 10, 2005, 1:37pm

Which is correct and normal yes.

Encryption will ONLY work with MSCHAPV2. You need to enable this authentication protocol on the MT’s PPPoE Server too.