Hello all,
MK In RouterOS 6.38.1 added new features like:
*** ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes";
*** radius - added IPSec service (cli only);
Earlier I have been configured L2TP/IPSEC VPN authentication using mikrotik built-in radius server called User Manager. All configuration was done something like shown in this link: https://aacable.wordpress.com/tag/account-expired. This configuration is working.
Now I try to do the same thing, but just with IPsec and new software features.
User authentication isn't working, when I add statically users in /ip ipsec user - users are authenticating and all is working.
Why with the same UserManager configuration L2TP/IPSec working but IPSec isn't?????
IPsec log:
> > ipsec,info respond new phase 1 (Identity Protection):
> > x.x.x.x [500]<=>x.x.x.x [500]
> > ipsec,info ISAKMP-SA established
> > x.x.x.x [500]-x.x.x.x[500]
> > spi:76817ae07f6683da:1edd916b089054aa
> > ipsec,info Xauth login failed for user: 123
User-Manager log:
customer=admin user-orig="123" calling-station-id="\C0\E0N\E2\C4\12\86\ED" host-ip=x.x.x.x status=accounting-failure description="missing Acct-Session-Id attribute"
Re: IPSec VPN xauth Radius
There seems to be a bug with "XAuth Use Radius"
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
Re: IPSec VPN xauth Radius
Hello,
Yesterday I sow that in 6.39rc26 software is:
*) ike1 - added more Radius accounting attributes - "event-timestamp", "acct-session-id", "acct-authentic", "acct-session-time";
*) ike1 - fixed responder xauth trailing null;
I try do tests with this software. Situation is intresting.
All configuration parameters was the same like before.
1. If I chose in IPsec Users just XAuth Use Radius (no statically users added) - VPN Access Manager show (user authentication error). But log from MK UserManager looks like that:
customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\02" calling-station-id="x.x.x.x" host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:02:15
And watching from MK User Manager side there are not active sessions and users.
2. If I chose in IPsec Users XAuth Use Radius and add statically user - VPN Access Manager show (tunnel enabled). Log from MK UserManager looks like that:
customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\03" calling-station-id="x.x.x.x" user-ip=x.x.x.x host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:05:12
And watching from MK User Manager side, we can see active session and user. Looks like all should working.
Then I create profile which was valid 5min, after that time created user should stop working (can’t do VPN connections). When time expired I try to connect - tunnel was enabled and all was working. UserManager in this situation can't block user access, add limitations to that user, .... .
User Manager or XAuth Use Radius feature is working abnormal.
Why is like that? Something is still underdone with this software.
Yesterday I sow that in 6.39rc26 software is:
*) ike1 - added more Radius accounting attributes - "event-timestamp", "acct-session-id", "acct-authentic", "acct-session-time";
*) ike1 - fixed responder xauth trailing null;
I try do tests with this software. Situation is intresting.
All configuration parameters was the same like before.
1. If I chose in IPsec Users just XAuth Use Radius (no statically users added) - VPN Access Manager show (user authentication error). But log from MK UserManager looks like that:
customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\02" calling-station-id="x.x.x.x" host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:02:15
And watching from MK User Manager side there are not active sessions and users.
2. If I chose in IPsec Users XAuth Use Radius and add statically user - VPN Access Manager show (tunnel enabled). Log from MK UserManager looks like that:
customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\03" calling-station-id="x.x.x.x" user-ip=x.x.x.x host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:05:12
And watching from MK User Manager side, we can see active session and user. Looks like all should working.
Then I create profile which was valid 5min, after that time created user should stop working (can’t do VPN connections). When time expired I try to connect - tunnel was enabled and all was working. UserManager in this situation can't block user access, add limitations to that user, .... .
User Manager or XAuth Use Radius feature is working abnormal.
Why is like that? Something is still underdone with this software.
Re: IPSec VPN xauth Radius
me too
There seems to be a bug with "XAuth Use Radius"
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
There seems to be a bug with "XAuth Use Radius"
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
Re: IPSec VPN xauth Radius
xauth radius problem will be fixed in v6.39rc30