We are trying to get our routers using radius to authenticate users to login with Winbox but havign a lot of trouble with it
We’re using Windows NPS as the radius server.
I believe the problem is that Winbox uses MD5-CHAP and windows doesnt support this? (Assuming I have understood what I’ve read)
I have seen other posts where people have used Freeradius as some sort of proxy but I would like to avoid this as I believe it WILL work without it. (in short, a previous collegue had winbox authenticating against AD without any additional servers, he’s left the company and I can’t figure out how he did it )
Forgot to mention actually, we have radius already authenticating PPTP connections with this NPS server but I believe that uses normal CHAP and not MD5-CHAP.
So I think thats why the vpn’s are working and authenticating correctly but Winbox isn’t
For anyone running into similar problems in the future…
Active Directory passwords need to be stored using reversible encryption, this is done in GP (Computer configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Set “Store Passwords using reversible encryption” to enabled.
Did a GP update and it didn’t work, created a new test account and it works fine so I assume new accounts when created will store their passwords with reversible encryption, existing accounts may need to wait some time or reset their passwords.
General info…
SSH and Telnet uses PAP authentication
Winbox uses MD5-CHAP authentication
Webfig does not support radius (yet, ROS v5.6)
With NPS configured by default users will find they can login to the router with SSH or Telnet without any problems, PPP authentication (for VPN’s etc) will work without issue but Winbox won’t work, in the radius logs on the router you will see the request is “Accepted” but winbox still responds with “Access Denied” if you look on the Windows (NPS Server) security logs you will find “Audit Failure” with…
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect
This is because Winbox is encrypting your password with MD5-CHAP and then passing that to NPS / Windows Active Directory which then doesn’t know what to do with the hashed/encrypted password. Setting the group policy as above will allow AD store passwords in the same way as it is receiving them from Winbox.
