Hi,
I have to implement RADIUS authentication on our network which has dozens of Mikrotiks of all flavours and versions. Our RADIUS server is Microsoft Server 2012R2 running NPS.
I have created a client profile for my 'test' router using a simple secret. I have also created a connection request policy with 24 hour, 7 day access and 'override network policy authentication settings' selected with MD5-Challenge as the EAP Type. I have created a Network Policy which is enabled, allows the appropriate AD groups, has the Client Vendor set as 'RADIUS Standard', has MD5-Challenge selected as the EAP Type.
Every attempt to connect to the router results in an error being logged in NPS on the server. The content of one of these errors is below. Sensitive data has been blanked out with 'xxxxxx'.
The only way I can make it work is to change the Authentication settings for the Connection Request Policy from 'Authenticate requests on this server' to 'Accept users without validating credentials'. Under this condition, the login will be successful and an appropriate message is written to the event log. This situation is, of course, of no use as there is no security under these conditions.
Can anyone offer any suggestions please?
****************** Event Log Excerpt ******************************
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: xxx.xxx.xx\xxxxxxxx
Account Domain: xxxxxxxxxxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 10.xxx.xxx.xxx
NAS:
NAS IPv4 Address: 10.xxx.xxx.xxx
NAS IPv6 Address: -
NAS Identifier: MikroTik
NAS Port-Type: -
NAS Port: -
RADIUS Client:
Client Friendly Name: test
Client IP Address: xxx.xxx.xxx.xxx
Authentication Details:
Connection Request Policy Name: Mikrotik Connection Requests
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxxxxxxxxxxxxx
Authentication Type: MD5-CHAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.