Community discussions

MikroTik App
 
kempoguy
just joined
Topic Author
Posts: 11
Joined: Wed Jul 27, 2016 6:05 am

RADIUS between Mikrotik and MS Server

Tue Jun 13, 2017 7:25 am

Hi,

I have to implement RADIUS authentication on our network which has dozens of Mikrotiks of all flavours and versions. Our RADIUS server is Microsoft Server 2012R2 running NPS.

I have created a client profile for my 'test' router using a simple secret. I have also created a connection request policy with 24 hour, 7 day access and 'override network policy authentication settings' selected with MD5-Challenge as the EAP Type. I have created a Network Policy which is enabled, allows the appropriate AD groups, has the Client Vendor set as 'RADIUS Standard', has MD5-Challenge selected as the EAP Type.

Every attempt to connect to the router results in an error being logged in NPS on the server. The content of one of these errors is below. Sensitive data has been blanked out with 'xxxxxx'.

The only way I can make it work is to change the Authentication settings for the Connection Request Policy from 'Authenticate requests on this server' to 'Accept users without validating credentials'. Under this condition, the login will be successful and an appropriate message is written to the event log. This situation is, of course, of no use as there is no security under these conditions.


Can anyone offer any suggestions please?


****************** Event Log Excerpt ******************************
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: xxx.xxx.xx\xxxxxxxx
Account Domain: xxxxxxxxxxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.xxx.xxx.xxx

NAS:
NAS IPv4 Address: 10.xxx.xxx.xxx
NAS IPv6 Address: -
NAS Identifier: MikroTik
NAS Port-Type: -
NAS Port: -

RADIUS Client:
Client Friendly Name: test
Client IP Address: xxx.xxx.xxx.xxx

Authentication Details:
Connection Request Policy Name: Mikrotik Connection Requests
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxxxxxxxxxxxxx
Authentication Type: MD5-CHAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
 
savage
Forum Guru
Forum Guru
Posts: 1263
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Re: RADIUS between Mikrotik and MS Server

Tue Jun 13, 2017 1:43 pm

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Logs don't lie. Either:
1) You are using an incorrect shared secret,
2) The user you are authenticating as, is not in the required groups, or
3) You are using an incorrect username and/or password.
 
kempoguy
just joined
Topic Author
Posts: 11
Joined: Wed Jul 27, 2016 6:05 am

Re: RADIUS between Mikrotik and MS Server

Wed Jun 14, 2017 12:42 am

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Logs don't lie. Either:
1) You are using an incorrect shared secret,
2) The user you are authenticating as, is not in the required groups, or
3) You are using an incorrect username and/or password.

Yes, fundamentally I agree, however I've tried it with no secret, and I'm using my same domain admin login as I'm logged onto the domain controller with while I'm doing these tests. The allowed groups in the Network Policy setup are the same admin groups I am in to manage the domain, so it doesn't make any sense at all.

I did read something somewhere about there being a problem with the MS implementation of MD5 whereby the secret can only be upper case - again, tried that to no avail either.

From testing using NTRadPing, it looks like the problem is with the MD5 - can a Mikrotik device use a different, more secure, method for radius authentication?
 
kempoguy
just joined
Topic Author
Posts: 11
Joined: Wed Jul 27, 2016 6:05 am

Re: RADIUS between Mikrotik and MS Server

Wed Jun 14, 2017 12:50 am

*** UPDATE***

Found the problem. On our DC, I had to enable the 'store password with reversible encryption' option for my account to allow the Mikrotik RADIUS to work.
From a security point, this is unacceptable and reinforces the need to use a different authentication protocol between the router and the RADIUS server.

Can the authentication be changed to something which is secure and usable by today's standards?

Who is online

Users browsing this forum: Agencepro, NxtGen [Bot] and 48 guests