Community discussions

MikroTik App
 
Jevgenij
just joined
Topic Author
Posts: 3
Joined: Mon Feb 06, 2017 4:07 pm

IPSec VPN xauth Radius

Wed Feb 08, 2017 11:03 am

Hello all,

MK In RouterOS 6.38.1 added new features like:
*** ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set xauth-use-radius=yes";
*** radius - added IPSec service (cli only);

Earlier I have been configured L2TP/IPSEC VPN authentication using mikrotik built-in radius server called User Manager. All configuration was done something like shown in this link: https://aacable.wordpress.com/tag/account-expired. This configuration is working.

Now I try to do the same thing, but just with IPsec and new software features.
User authentication isn't working, when I add statically users in /ip ipsec user - users are authenticating and all is working.

Why with the same UserManager configuration L2TP/IPSec working but IPSec isn't?????

IPsec log:
> > ipsec,info respond new phase 1 (Identity Protection):
> > x.x.x.x [500]<=>x.x.x.x [500]
> > ipsec,info ISAKMP-SA established
> > x.x.x.x [500]-x.x.x.x[500]
> > spi:76817ae07f6683da:1edd916b089054aa
> > ipsec,info Xauth login failed for user: 123


User-Manager log:
customer=admin user-orig="123" calling-station-id="\C0\E0N\E2\C4\12\86\ED" host-ip=x.x.x.x status=accounting-failure description="missing Acct-Session-Id attribute"
 
netleak
just joined
Posts: 4
Joined: Thu Feb 09, 2017 5:58 pm

Re: IPSec VPN xauth Radius

Thu Feb 09, 2017 6:06 pm

There seems to be a bug with "XAuth Use Radius"
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
 
Jevgenij
just joined
Topic Author
Posts: 3
Joined: Mon Feb 06, 2017 4:07 pm

Re: IPSec VPN xauth Radius

Fri Feb 10, 2017 8:20 am

Hello,

Yesterday I sow that in 6.39rc26 software is:
*) ike1 - added more Radius accounting attributes - "event-timestamp", "acct-session-id", "acct-authentic", "acct-session-time";
*) ike1 - fixed responder xauth trailing null;


I try do tests with this software. Situation is intresting.

All configuration parameters was the same like before.

1. If I chose in IPsec Users just XAuth Use Radius (no statically users added) - VPN Access Manager show (user authentication error). But log from MK UserManager looks like that:

customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\02" calling-station-id="x.x.x.x" host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:02:15

And watching from MK User Manager side there are not active sessions and users.

2. If I chose in IPsec Users XAuth Use Radius and add statically user - VPN Access Manager show (tunnel enabled). Log from MK UserManager looks like that:

customer=admin user-orig="123" nas-port=1 nas-port-type=virtual nas-port-id="\00\00\00\03" calling-station-id="x.x.x.x" user-ip=x.x.x.x host-ip=x.x.x.x status=accounting-success time=feb/09/2017 14:05:12

And watching from MK User Manager side, we can see active session and user. Looks like all should working.

Then I create profile which was valid 5min, after that time created user should stop working (can’t do VPN connections). When time expired I try to connect - tunnel was enabled and all was working. UserManager in this situation can't block user access, add limitations to that user, .... .

User Manager or XAuth Use Radius feature is working abnormal.
Why is like that? Something is still underdone with this software.
 
amilus
just joined
Posts: 7
Joined: Mon Jul 28, 2014 9:12 pm

Re: IPSec VPN xauth Radius

Sat Feb 11, 2017 8:15 am

me too

There seems to be a bug with "XAuth Use Radius"
I also tested this on 6.39 rc26 and confirm the issue.
the client receives authentication failed as soon as it tries to connect.
in radius server's logs I see a "Accounting Stop" request instead of "Access Request" with a wrong secret.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5997
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec VPN xauth Radius

Wed Feb 15, 2017 1:20 pm

xauth radius problem will be fixed in v6.39rc30

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot], xaae and 155 guests