Winbox login through radius

AdamVocks · April 14, 2009, 4:03pm

ln the past few days I’ve configured our Mikrotiks to authenticate our SSH logins via radius and ultimately with Active Directory. Now, I’m trying to get winbox working and I am running into a CHAP wall. It appears to me that winbox is using CHAP and sendint that to my radius server. From what research I have done, I am not able to authenticate a chap challenge/password with active directory. Can anyone confirm?

If that is the case, am I stuck or is there another approach I could be taking to get my winbox logins authenticated through active directory?

Thanks!

Adam

sergejs · April 16, 2009, 8:27am

Yes, Winbox asks for CHAP support on RADIUS server, while Telnet and SSH ask for PAP support.

AdamVocks · April 21, 2009, 6:12pm

In that case, am I stuck or is there another approach I could be taking to get my winbox logins authenticated through active directory?

Adam

rnsvi · April 1, 2010, 7:05pm

I am experiencing this same issue as well. Is there anyway around it?
Am I just forced to store the plain-text passwords on the server, so I can use CHAP and PAP.

Thanks
-Keith-

AdamVocks · April 1, 2010, 7:08pm

I have not found a way around it yet. We are simply storing separate winbox credentials in clear text in our radius.

fewi · April 1, 2010, 7:21pm

Are there any plans to make PAP an option with RADIUS for Winbox? There’s very good reasons IAS doesn’t support CHAP.

roadracer96 · April 1, 2010, 9:27pm

I authenticate about 100 routers to AD via FreeRADIUS. I have FreeRADIUS proxy the request to my AD servers. Reason I do that is because I have a web application setup to add the NASs into the FreeRADIUS MYSQL dbase and reload the config every 5 minutes.

Works for ssh and winbox this way. AD server is 2008 enterprise.

EDIT: If memory serves, I did have to store passwords with reversible encryption. Didnt really matter to me that much. Nobody has access to the AD servers but me…

fewi · April 1, 2010, 9:28pm

Do you tie FreeRADIUS directly into AD via LDAP, or do you proxy it through to IAS? I’m unfortunately required to go through IAS, I can’t tie our main RADIUS appliances (FreeRADIUS based) directly via LDAP.

Though if it’s completely impossible I may be able to push for a policy change once we have enough RouterOS devices in production.

roadracer96 · April 1, 2010, 9:35pm

I go from FreeRADIUS to IAS. Only reason I did it is because it is easy to store the NASs in MYSQL and make dynamic changes via a web application.

AdamVocks · April 1, 2010, 9:42pm

We too authenticate our devices to AD with FreeRadius, but it only works for us with SSH. Our FreeRadius is configured using ntlm_auth. Do you mind sharing some of your FreeRadius config?

It’s been nearly a year since I last looked at this, but I was under the impression that you had to be able to retreive the clear text password from AD since winbox used CHAP.

Adam

Update: Just saw your edit about storing passwords with reversible encryption. Maybe that’s what the key is.

fewi · April 1, 2010, 9:51pm

EDIT: If memory serves, I did have to store passwords with reversible encryption. Didnt really matter to me that much. Nobody has access to the AD servers but me...

Yeah, that makes sense then, and would definitely work. Unfortunately I don’t have that option. Company security policy definitely makes that a no go.

AdamVocks · April 2, 2010, 6:05pm

roadracer96,

Any chance you would be willing to share some of your radiusd.conf file? I’m having trouble getting this to work correctly.

Thanks!

Adam

roadracer96 · April 2, 2010, 9:55pm

I didnt have to edit it too much. It was pretty simple. The following goes in the proxy.conf.

realm ad.domain {
type = radius
authhost = adserver1.ad.domain:1812
accthost = adserver1.ad.domain:1813
secret = secret
}

realm ad.domain {
type = radius
authhost = adserver2.ad.domain:1812
accthost = adserver2.ad.domain:1813
secret = secret
}

AdamVocks · April 2, 2010, 10:01pm

I see, that does look easy, but I don’t have IAS server to proxy to.

Anyone else able to get Winbox to authenticate through radius server to AD?

Adam

fewi · April 2, 2010, 10:06pm

IAS comes free as part of Windows Server editions. Just install it on your DC (or a dedicated machine, but then you’re out a license).

roadracer96 · April 2, 2010, 10:16pm

^^^ What he said. In 2008, it is called network policy service. It actually works really good.

AdamVocks · April 2, 2010, 10:20pm

Lightbulb is on now. I was thinking ISA Server and thought there was something special that you were doing with it. Makes much more sense now!

Thanks!

Adam

EMOziko · April 2, 2011, 9:36pm

I have this problem too. eh

nickb · May 6, 2012, 5:34pm

I’ve just been trying to configure this as well.

When I try to log in with Winbox, I see this log entry in Event Viewer:

Event Type:	Warning
Event Source:	IAS
Event Category:	None
Event ID:	2
Date:		5/6/2012
Time:		11:49:26 AM
User:		N/A
Computer:	ADSERVER
Description:
User nickb was denied access.
 Fully-Qualified-User-Name = DOMAIN\nickb
 NAS-IP-Address = 10.x.x.1
 NAS-Identifier = Independence Firewall
 Called-Station-Identifier = <not present> 
 Calling-Station-Identifier = 69.x.x.66
 Client-Friendly-Name = Mikrotik
 Client-IP-Address = 10.x.x.1
 NAS-Port-Type = <not present> 
 NAS-Port = <not present> 
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = <undetermined> 
 Authentication-Type = MD5-CHAP
 EAP-Type = <undetermined> 
 Reason-Code = 19
 Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0a 20 07 80               . .

I can log in successfully with Telnet, SSH, and FTP. Logging in to Webbox fails, with no event viewer entry, nor any entry in the “status” tab of the radius server on the router - I suspect that it is not consulting RADIUS. API logins with Android Winbox also fail; but I don’t know if that’s a problem with the app or with the API subsystem.

Successful login with Telnet/SSH/FTP proves that the configuration is valid; the problem is apparently that logging in with Winbox ONLY supports CHAP. Oddly, Telnet/SSH/FTP only support PAP (I tested with MSCHAPv2 and MSCHAPv2, but PAP was the only thing that showed up in the logs with those services).

I’ve emailed MT support to ask about this; but there are threads on this topic several years old and the fact that there has been no change as recent as 5.14 tells me their response will either be to not respond; or to say that they aren’t willing to change it.

As far as I’m aware from my research so far, the only way to work around this is to enable storing passwords in active directory with a reversible encryption option; which I consider to be an unacceptable solution from a security point of view.

Of course, PAP isn’t very desirable either; but encrypting with a nice strong RADIUS shared secret is (arguably) better than storing the password in plain text…

kefear · November 17, 2014, 10:26am

Hello,

Is there any update to this issue ? Winbox still not working with freeradius, asking for cleartext password.

Thanks for any hints