Community discussions

 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Winbox Login over Windows Server RADIUS

Thu May 10, 2018 12:26 pm

Hello,

With Winbox login authentication over Windows Server 2012 RADIUS and AD is it possible to configure different AD groups with different level of access on Mikrotik devices and how?

Example:
Network-Admins AD group -> full access
Network-Operators AD group -> read access

Thanks.
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Winbox Login over Windows Server RADIUS

Thu May 10, 2018 12:35 pm

I don't know about radius on windows, but on freeradius we send a radius reply containing:
MikroTik-Group=full
which maps onto the user group on the Router.

Hope that helps
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Thu May 10, 2018 2:57 pm

Thanks for the effort but I was hoping for a more detailed answer specific to Windows Server RADIUS implementation.
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS  [SOLVED]

Thu May 10, 2018 6:57 pm

After reading the MikroTik Wiki on AAA with Radius, some googling on setting up Windows Server IAS for Remote Access Policies, I worked out this...
When you create the two Remote Access Policy Profiles on the windows server (one for full access and one for read access), in the Advanced tab of the profile, click on add a 'Vendor-Specific' Attribute. On the Multivalued Attribute Information window, add an attribute value using vendor code 14988, then under 'Configure Attribute' input 3 as the vendor-assigned attribute number, the format as 'String' and the value as "full". For the second "read" profile, input "read".
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Thu May 10, 2018 11:48 pm

Hi, thanks for digging out the details. They sound promising.
Winbox logins work fine with this setup however access level is still dictated by "Default Group" value (read/write/full/custom) on Mikrotik device itself under System->Users->AAA.

Is any complementing configuration on Mikrotik side required in order to make access types work as desired?
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS

Fri May 11, 2018 12:39 pm

Appears I had the case of the group wrong. By me stating you use =Full or =Read, the MikroTik RB was trying to match the group name exactly. There is no security group called "Full" or "Read". It is "full" or "read". Apologies.

I have edited my post to correct the error
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Fri May 11, 2018 2:08 pm

I believe I configured everything as explained but still the access level is controlled on Mikrotik.
When I login with an account that is supposed to have full access according to RADIUS policy it ends up getting read access most likely due to default group value on RouterOS which is by the way mandatory setting once RADIUS is enabled.

RADIUS screen shot:
Image

Mikrotik screen shot:
Image
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS

Fri May 11, 2018 10:06 pm

did you make the changes I suggested? Also your images are not working
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Fri May 11, 2018 10:37 pm

Yes, I did make the changes.

Right click image icon -> open in new tab/windows should load screenshots.

If not here are the links:

https://ibb.co/eybdDy

https://ibb.co/iikMYy
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 12:14 am

The string is "MikroTik-Group=full" not "Mikrotik-Group=full" (and '=read' of course)
Try making that change and re-test
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 4:40 pm

Hi, unfortunately capital T didn't make a difference.
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 4:54 pm

If you enable radius, debug logging on the router does it reveal any clues?
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 6:34 pm

One of the entries in red says:
system, error, critical group MikroTik-Group=fulldoes not exist, using default one.

Screenshot
https://ibb.co/iNVRrJ
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5944
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 6:37 pm

I do not know anything about Windows radius server, but shouldn't you specify vendor code and value should be "full", not "Mikrotik-Group=full"?
At least that how it looks like from your provided screenshots.
 
mmilosevic
just joined
Topic Author
Posts: 9
Joined: Thu May 10, 2018 12:17 pm

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 7:12 pm

mrz you are right! Attribute value should match the name of one of the groups available on Mikrotik device.
nest, thank you very much for excellent guidance and troubleshooting tips.

To summarize, the following values worked:

Vendor code: 14988
Under "Configure Attribute':
Vendor-assigned attribute number: 3
Attribute format: String
Attribute value: full (or any other group name available on Mikrotik)
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 811
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: Winbox Login over Windows Server RADIUS

Tue May 15, 2018 7:37 pm

Thanks - I have edited my post to show the correct method.
Ron Touw - Mikrotik Certified Trainer
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/category/166
Largest Official UK MikroTik Distributor
IRC channel: #routerboard on irc.z.je (IPv4), 6.irc.z.je (IPv6)

Who is online

Users browsing this forum: No registered users and 82 guests