I own a NPS (Radius) server on Windows 2008 server (domaine controler).

I have a Mikrotik RB751U-2HnD wifi router.

I’d like to use this wifi router as acces point to my wifi users, using radius (and NPS on my 2008 server).

With winbox, on Wireless > Security profile > Default > General, I know how to connect my seven enterprise users to the wifi router using WPA-AES, WPA2-AES and WPA2-PSK.

But now, truying using Radius (NPS), I’m lost ! Where to go in winbow to start this new configuration ?

Is it in Wireless > Security profile > Default > Radius: but there is no place to put the IP address of my NPS server ?

Is it in “IP > hotspot” ? In this case, is’nt it less secure than in “Wireless > Security profile” ?

Thanks for all.

Radius stuff is here:

/radius
add service=wireless address=xx.xx.xx.xx secret=myradiussecret

With 2003 server - XP SP3 and a D-Link AP, all is fine: a user on XP can connect on wifi with Radius (IAS) and Active Directory.

With WEP Cipher, my XP can connect to mikrotik AP.

With Radius and Mikrotik, nothing happens: my XP can’t connect to mikrotik AP.

Here is my wifi configuration in mikrotik:

/interface wireless
set 0 disabled=no l2mtu=2290 mode=ap-bridge ssid=test6 wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] eap-methods=passthrough
/radius
add address=192.168.88.2 secret=secret service=wireless

In winbox > Radius > wireless > status: I don’t see anything in “Request”.

What is wrong in my config ?

Thanks for all.

Best regards.

Enable verbose logging for radius.

/system logging
add topics=radius,debug action=memory

Try another connection, then check the log.

I’m very sorry: is it what you want ? If yes, nothing appears when XP is trying to connect:

[admin@MikroTik] /system logging> print follow where topics~“.radius”
Flags: X - disabled, I - invalid, * - default

TOPICS ACTION PREFIX

– Ctrl-C to quit. Space prints separator. New entries will appear at bottom.

[admin@MikroTik] /system logging> print follow where topics~“.debug”
Flags: X - disabled, I - invalid, * - default

TOPICS ACTION PREFIX

0 radius memory
debug
– Ctrl-C to quit. Space prints separator. New entries will appear at bottom.

With:

[admin@MikroTik] /system logging> export compact

jan/02/1970 00:25:48 by RouterOS 5.14

software id = 2AYL-KERF

/system logging
add topics=radius,debug

I give you one more time wifi configuration in mikrotik:

/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=
ap-bridge ssid=test6 wireless-protocol=802.11

/interface wireless security-profiles
set [ find default=yes ] eap-methods=passthrough

/radius
add address=192.168.88.2 secret=secret

I hope it’s not a “big” mistake: I don’t want to make you lose your time (with DLink AP: all is working fine).

Thanks for all.

Best regards.

A mistake I think: I’ve forgotten to select “service=wireless” in radius:

/radius
add address=192.168.88.2 secret=secret service=wireless

But this new configuration don’t change anything.

Thanks for all.

Best regards.

If you activated the logging for radius in system logging, then you should attempt to connect to the wireless, and then:

/log
print

There should be the entire radius communication in the log. What does that say?

Yes, I have anything: according to me, link between AP mikrotik and IAS (Microsoft Win 2003) is good: in Mikrotik log, when I create radius:

• Config ---------------------
  /radius
  add address=192.168.88.2 secret=secret service=wireless

• Log -----------------------------
  08:39:41 radius,debug,packet sending Accounting-Request with id 0 to 192.168.88.2:1813
  08:39:41 radius,debug,packet Signature = 0x51a933f37025d4f52a
  08:39:41 radius,debug,packet Acct-Status-Type = 7
  08:39:41 radius,debug,packet NAS-Identifier = “MikroTik”
  08:39:41 radius,debug,packet Acct-Delay-Time = 0
  08:39:41 radius,debug,packet NAS-IP-Address = 192.168.88.1
  08:39:41 radius,debug,packet received Accounting-Response with id 0 from 192.168.88.2:1813
  08:39:41 radius,debug,packet Signature = 0x3f711f4ff872b2ed67b
  08:39:41 radius,debug received reply for 05:00

In Win 2003 (c:\windows\system32\logfiles), I see, at the same time:

192.168.88.1,10/10/2012,08:40:38,IAS,HUG,40,7,32,MikroTik,41,0,4,192.168.88.1,4108,192.168.88.1,4116,0,4128,mikrotik,4155,2,4136,4,4142,0

But nothing else in log when XP try to connect.

My wifi XP configuration (the same as for DLink AP that works fine):
. authentication: open
. cypher: WEP
. WEP key: anything, not usefull
. key is not given automatically
. authentication:

• 802.1X activated
• protected EAP:
  . validate server certicate
  . CA: my CA (on my 2003 DC)
  . authentication method: MS-CHAP v2
• don’t use automatically my session name
• computer authentication if available.

Is my mikrotik AP understand it has to use radius ?

• security-profile ---------------------
  /interface wireless security-profiles
  set [ find default=yes ] eap-methods=passthrough
• and radius ---------------------
  /radius
  add address=192.168.88.2 secret=secret service=wireless

An other time, thanks for all.

Best regards.

That log entry you posted was the accounting request to port 1813. There should have been an authentication request to port 1812 also. Was that not in the log?

Sorry. I don’t have anything else in the log.

All what I’ve found in the net is confuse, but seems to say one part of the solution is in security-profile:

• my security-profile --------------------
  /interface wireless security-profiles
  set [ find default=yes ] eap-methods=passthrough

Is this security-profile ok for my wifi XP configuration ?

. authentication: open
. cypher: WEP
. WEP key: anything, not usefull
. key is not given automatically
. authentication:

• 802.1X activated
• protected EAP:
  . validate server certicate
  . Trusted root certification authorities: my CA (on my 2003 DC)
  . authentication method: MS-CHAP v2
• don’t use automatically my windows logon name
• computer authentication if available.

Thanks for all, really. All my tests to modify security-profiles are without effects.

Best regards.

With a Seven Enterprise, it’s a little better: I obtain a window to enter name and password.

I hope I’ll find the solution in a few days and give you good news before monday.

Thanks for all.

It works !!!

I give you all the solution before monday.

Thanks for all.

The solution to use “a little” 802.1x with a domain DC win 2003 serveur, and IAS, and a Seven owning wifi, and Mikrotik as an simple AP. Users will be authenticated with their name and passwords registered in AD.

Mikrotik configuration (use card 2 to 5 to connect Mikrotik to network as an AP. I’ve not undstood how to configure and use card number 1…):

[admin@MikroTik] > export compact

oct/12/2012 15:24:16 by RouterOS 5.14

software id = 2AYL-KERF

/interface bridge
add admin-mac=D4:CA:6D:29:CE:CD auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=
ap-bridge ssid=test6 wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap mode=dynamic-keys radius-eap-accounting=yes radius-mac-mode=
as-username-and-password static-algo-1=40bit-wep static-key-1=0000000000 static-transmit-key=key-1 wpa-pre-shared-key=
00000000
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment=“default configuration” interface=bridge-local
/ip dns
set allow-remote-requests=yes
/radius
add address=192.168.88.2 secret=secret service=wireless
/radius incoming
set accept=yes
/system logging
add topics=radius,debug
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes

I don’t know why, but the security-profiles don’t seems to be complete below. Here is what I use:

Security profile
Name: default
Mode: dynamic keys

Authentication Types:
WPA2 EAP
Unicast Ciphers
aes ccm
Group Ciphers
aes ccm
Supplicant Identify: Mikrotik
Group Key Update: 00:05:00
Management Protection: disabled

Radius
MAC Authentication: not checked
MAC Accounting: not checked
EAP Accountig: checked

Interim pdate: 00:00:00
MAC Format: XX:XX:XX:XX:XX:XX
MAC Mode: as username and password
MAC Caching Time: disabled

EAP:
EAP Methods: passthrough
TLS Mode: no certificates
TLS Certificate: none

Static Keys: nothing to configure.

And the configuration in Seven Enterprise:

Thumb-index " Connection ":
Name: Test6
SSID: Test6
Type of network: access point
Availability of network: all users
Connect me automatically when this network is in range: checked
Connect me to a priority favourite network if it is possible: not checked
Connect me even if network does not broadcast its name (SSID): not checked

Thumb-index " Security:
Type of security: WPA2 - Enterprise
Type of encoding: AES
Network authentication method: Microsoft: PEAP (Protected EAP)
Memorize my authentication informations for this connection each time I am linked: not checked

Button " advanced Parameters ":
Thumb-index " 802.1x ":
Specify authentication mode: checked
User authentication oo computer
Delete authenticaion informations for all users: not checked

Activate authentication: not checked.

Thumb-index " Parameters 802.11 ":
Activate putting in cache of PMK key (Pairwise Master Key):
Life of the key PMK (minutes): 720
Number of entries in PMK cache: 128

This network uses precondition authentication: not checked
Activate the compliance with norms FIPS (Federal Information Processing Standards) for this network: not checked

Microsoft: PEAP (Protected EAP) \ Parameters
Validate the server certificate: checked
Connection to these servers: not checked
Root Certification authorities: my-own-CA-in-2003

Not to ask the user to allow new servers or approved CA: not checked

Authentication method: Secured password (EAP-MSCHAP version 2)
Button “Configure”:
Use automatically my name and my Windows password of opening session (and possibly of domain): not checked

Activate quick connection: checked
Apply network acces protection: checked
Deconnect. if the server does not introduce TLV of chiffr . link: not checked
Activate the protection of confidentiality: not checked

When ask in the Seven, use a user-name and password registered in Active Directory.

The Seven had been before integrated in the AD domain (and so has the certificate of the CA).

Mikrotik has been added in IAS.

Now, I’ve “just” to replace my old 2003 by a new 2008…

Dear jeanbrico
Would you please help us on configuring the IAS and DC for mikrotik wireless connection. we have the same problem that you had, but other devices like Enginius wirelesses are working properly. It is very kind of you if you help us on this case.