Unable to authenticate against User Manager *SOLVED*

I use ROS 3.0 rc5 on a RB333 and have setup a PPPoE connection on Eth3.
When specifying User/Pass in “secret” in Winbox autentication works fine, but not when trying to authenticate against User Manager.

Under Radius I have specified the address of Eth2, namely 10.0.2.1 (which is currently not used for anything else) , and the same address is specified under Routers in User manager. Will this do?

Double-checked that user/pass in User Manager is correct.
No log entries in User Manager, but the error message in windows RAS PPPoE is “691 …invalid user/pass”, I assume this indicates that the connection against UM is ok but UM denies authentication?

The following is a log from an authentication attempt.
Any of you guys that see what is wrong?

[admin@MikroTik] /log> print
21:55:14 pppoe,ppp,debug PPPoE: <0017>: LCP opened 
21:55:14 pppoe,ppp,debug,packet PPPoE:  <0017>: sent CHAP Challenge id=0x1 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <challenge len=10> 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <name MikroTik> 
21:55:14 pppoe,ppp,debug,packet PPPoE:  <0017>: rcvd LCP Ident id=0x1 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <magic 0x6cb5226c> 
21:55:14 pppoe,ppp,debug,packet PPPoE:     MSRASV5.10 
21:55:14 pppoe,ppp,debug,packet PPPoE:  <0017>: rcvd LCP Ident id=0x2 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <magic 0x6cb5226c> 
21:55:14 pppoe,ppp,debug,packet PPPoE:     MSRAS-0-XXXX_LAPTOP 
21:55:14 pppoe,ppp,debug,packet PPPoE:  <0017>: rcvd CHAP Response id=0x1 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <response len=31> 
21:55:14 pppoe,ppp,debug,packet PPPoE:     <name bob> 
21:55:14 radius,debug RADIUS: new request 1b:28 code=Access-Request service=ppp 
called-id=Test 
21:55:14 radius,debug RADIUS: sending 1b:28 to 192.168.4.10:1812 
21:55:14 radius,debug,packet RADIUS: sending Access-Request with id 31 to 192.16
8.4.10:1812 
21:55:14 radius,debug,packet RADIUS:     Signature = 0xea2cb2923a251918bf0751715
824d947 
21:55:14 radius,debug,packet RADIUS:     Service-Type = 2 
21:55:14 radius,debug,packet RADIUS:     Framed-Protocol = 1 
21:55:14 radius,debug,packet RADIUS:     NAS-Port = 27 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Type = 15 
21:55:14 radius,debug,packet RADIUS:     User-Name = "bob" 
21:55:14 radius,debug,packet RADIUS:     Calling-Station-Id = "00:12:79:C3:AD:2B
" 
21:55:14 radius,debug,packet RADIUS:     Called-Station-Id = "Test" 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Id = "ether3" 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP-Challenge = 0x4a46a2592f611eb57
86000f244ee514f 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP2-Response = 0x0100f2b07772650f3
205089e663f4b4e 
21:55:14 radius,debug,packet RADIUS:       7eba0000000000000000685941eef12e 
21:55:14 radius,debug,packet RADIUS:       f22738fd285d4bbed01e715b54807871 
21:55:14 radius,debug,packet RADIUS:       ec0b 
21:55:14 radius,debug,packet RADIUS:     NAS-Identifier = "MikroTik" 
21:55:14 radius,debug,packet RADIUS:     NAS-IP-Address = 192.168.4.10 
21:55:14 radius,debug RADIUS: resending 1b:28 
21:55:14 radius,debug,packet RADIUS: sending Access-Request with id 31 to 192.16
8.4.10:1812 
21:55:14 radius,debug,packet RADIUS:     Signature = 0xea2cb2923a251918bf0751715
824d947 
21:55:14 radius,debug,packet RADIUS:     Service-Type = 2 
21:55:14 radius,debug,packet RADIUS:     Framed-Protocol = 1 
21:55:14 radius,debug,packet RADIUS:     NAS-Port = 27 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Type = 15 
21:55:14 radius,debug,packet RADIUS:     User-Name = "bob" 
21:55:14 radius,debug,packet RADIUS:     Calling-Station-Id = "00:12:79:C3:AD:2B
" 
21:55:14 radius,debug,packet RADIUS:     Called-Station-Id = "Test" 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Id = "ether3" 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP-Challenge = 0x4a46a2592f611eb57
86000f244ee514f 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP2-Response = 0x0100f2b07772650f3
205089e663f4b4e 
21:55:14 radius,debug,packet RADIUS:       7eba0000000000000000685941eef12e 
21:55:14 radius,debug,packet RADIUS:       f22738fd285d4bbed01e715b54807871 
21:55:14 radius,debug,packet RADIUS:       ec0b 
21:55:14 radius,debug,packet RADIUS:     NAS-Identifier = "MikroTik" 
21:55:14 radius,debug,packet RADIUS:     NAS-IP-Address = 192.168.4.10 
21:55:14 radius,debug RADIUS: resending 1b:28 
21:55:14 radius,debug,packet RADIUS: sending Access-Request with id 31 to 192.16
8.4.10:1812 
21:55:14 radius,debug,packet RADIUS:     Signature = 0xea2cb2923a251918bf0751715
824d947 
21:55:14 radius,debug,packet RADIUS:     Service-Type = 2 
21:55:14 radius,debug,packet RADIUS:     Framed-Protocol = 1 
21:55:14 radius,debug,packet RADIUS:     NAS-Port = 27 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Type = 15 
21:55:14 radius,debug,packet RADIUS:     User-Name = "bob" 
21:55:14 radius,debug,packet RADIUS:     Calling-Station-Id = "00:12:79:C3:AD:2B
" 
21:55:14 radius,debug,packet RADIUS:     Called-Station-Id = "Test" 
21:55:14 radius,debug,packet RADIUS:     NAS-Port-Id = "ether3" 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP-Challenge = 0x4a46a2592f611eb57
86000f244ee514f 
21:55:14 radius,debug,packet RADIUS:     MS-CHAP2-Response = 0x0100f2b07772650f3
205089e663f4b4e 
21:55:14 radius,debug,packet RADIUS:       7eba0000000000000000685941eef12e 
21:55:14 radius,debug,packet RADIUS:       f22738fd285d4bbed01e715b54807871 
21:55:14 radius,debug,packet RADIUS:       ec0b 
21:55:14 radius,debug,packet RADIUS:     NAS-Identifier = "MikroTik" 
21:55:14 radius,debug,packet RADIUS:     NAS-IP-Address = 192.168.4.10 
21:55:15 radius,debug RADIUS: timeout for 1b:28 
21:55:15 pppoe,ppp,debug,packet PPPoE:  <0017>: sent CHAP Failure id=0x1 
21:55:15 pppoe,ppp,debug,packet PPPoE:     E=691 R=0 C=4A46A2592F611EB5786000F24
4EE514F V=3 M=bad username or password 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: peer authentication failed for remote ho
st 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: LCP close 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: LCP closed 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: CCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: CCP down event in initial state 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: BCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: BCP down event in initial state 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: IPCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: IPCP down event in initial state 
21:55:15 pppoe,ppp,debug,packet PPPoE:  <0017>: sent LCP TermReq id=0x2 
21:55:15 pppoe,ppp,debug,packet PPPoE:     user bob authentication failed - radi
us timeout 
21:55:15 pppoe,ppp,debug,packet PPPoE:  <0017>: rcvd LCP TermAck id=0x2 
21:55:15 pppoe,ppp,debug,packet PPPoE:     user bob authentication failed - radi
us timeout 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: LCP lowerdown 
21:55:15 pppoe,ppp,info <pppoe-0>: terminating... - user bob authentication fail
ed - radius timeout 
21:55:15 pppoe,ppp,info PPPoE: <pppoe-0>: terminating... - user bob authenticati
on failed - radius timeout 
21:55:15 pppoe,debug,packet PPPoE: ether3: sent PADT to 00:12:79:C3:AD:2B 
21:55:15 pppoe,debug,packet PPPoE:     session-id=0x0017 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: CCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: CCP down event in initial state 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: BCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: BCP down event in initial state 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: IPCP lowerdown 
21:55:15 pppoe,ppp,debug PPPoE: <0017>: IPCP down event in initial state 
21:55:15 pppoe,ppp,info <pppoe-0>: disconnected 
21:55:15 pppoe,ppp,info PPPoE: <pppoe-0>: disconnected 
21:55:15 pppoe,debug,packet PPPoE: ether3: rcvd PADT from 00:12:79:C3:AD:2B 
21:55:15 pppoe,debug,packet PPPoE:     session-id=0x0017 
21:55:38 system,info,account user admin logged in from 192.168.4.90 via telnet 

[admin@MikroTik] /log> print

i think you forget to configure your ppp to authenticate using Radius

 > ppp aaa set use-radius yes

No, it’s there:

[admin@MikroTik] > radius print
Flags: X - disabled 
 #   SERVICE          CALLED-ID     DOMAIN        ADDRESS         SECRET       
 0   ppp                                          192.168.4.10    *****

Under PPP I have the following:

[admin@MikroTik] > ppp export
# oct/18/2007 08:25:27 by RouterOS 3.0rc5
# software id = L2FP-FTT
#
/ppp profile 
set default change-tcp-mss=yes comment="" local-address=10.0.4.1 \
    name="default" only-one=default remote-address=pool1 \
    use-compression=default use-encryption=default use-vj-compression=default 
add change-tcp-mss=default comment="" local-address=10.0.3.1 name="profile1" \
    only-one=default remote-address=pool3 use-compression=default \
    use-encryption=default use-vj-compression=default 
set default-encryption change-tcp-mss=yes comment="" name="default-encryption" \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default 
/ppp aaa 
set accounting=yes interim-update=0s use-radius=yes 
[admin@MikroTik] >

(profile1 is used for my PPPoE server)

I must admit I am a little confused about what is what here. Appearently there is not a 1:1 relationship between the Winbox pages and the different levels in the command line interface.

In Winbox, under PPP there is one tab called “PPPoE servers” Under this one I have created a “PPPoE service” (note the naming confusion!) specifying Interface and profile, but as you see this “service” is not listed using “ppp export” in command line interface.

Another tab under PPP is “Interface”, and if I create a “PPPoE server” entry here (here the “PPPoE server” denotion surfaces, contrary to under tab “PPPoE servers”!!) it will show up also under top level “Interface”, among the physical interfaces of the router. But as mentioned, my setup worked like a flaw without creating anything under this tab, provided authenticating was done against an account defined under “PPP secret” in the router itself.
When my client was connected, a route also showed up under “IP route”, routing my client the proper way.

So, what is the “PPP/Interface” tab in winbox used for?
Will I have to add an entry here as well? And what is the “User” field for?

My theory is that since everything works using a local secret the problem can be pin-pointed down to the authentication process. Or am I wrong?

Which steps are necessary to authenticate against a local User Manager? Do I have to specify IP of router in UM and vice versa, or can these be skipped as UM is running off local router?

Can I be sure that the problem is what the error message from the PPPoE log entries says, namely “Invalid username and password” or does the router fail to communicate with UM? No UM log entries are generated.
I am not able to interpret all the PPPoE and RADIUS log entries.

I will be thankful for any help!

After extensive forum searching I finally got this to work.

The solution was in this thread.
I added topic “manager” to system/logging and got the same error message as mac86, “manager,debug received remote request from 127.0.0.1:xxxxx with unknown address…”

Then I figured out that I had to use 127.0.0.1 (local host) both in radius client and in router setup in User Manager, and now authentication works like a charm.

However there is something funny with the IP setting under Routers in User Manager that maybe fooled me also when using the address of one of my interfaces:
When clicking on the router the details of the router opens in a separate window. An address entered here the normal way (small-endian) is swapped to big-endian in the router list when Save is pressed and window closed. I.e. when I want to specify 127.0.0.1 I must type 1.0.0.127.
However when I enter the details again the IP is listed correctly. By just pressing save it is swapped again to 1.0.0.127, and by repeating this once more it’s back at 127.0.0.1.

I guess this is something other users have noticed as well?

Any comments from Mikrotik guys?

And why isn’t there any User Manager for rc6 and rc7? When rc5 was the latest ROS there was a link for the UM on the download page.
I tried UM rc5 with ROS rc6 but it wouldn’t install so I have to stick to rc5 until a higher version of UM surfaces.