Hi all,
what do we have:
Windows 2016 Domiancontroller with NPS
about 180 Accesspoints
Firmware - 6.42.6
Software - 6.42.6
after I've figured how to login with SSH to our Mikrotik Routers with AD and NPS (Windows2016) I got a strange issue.
I am able to login via SSH against our AD and NPS but the NPS writes every time:
Network Policy Server denied access to a user.
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Authentication Type: PAP
I've set my AD account to: Store password using reversible encryption and recreated my password.
My connection Request Policy:
Authentication Type - Unencrypted authentication (PAP, SPAP)
Condition: Username - xxxxx
Network Policy:
Settings/Radius Attributes/Standard/Service-Type - Framed
I've tried different settings but nothing helps to get the NPS authenticate the user (only if i set the Authentication on the Connection request Policy to "Accept users without validating credetials")
The same setup works without problems if I login e.g. via WEB and using MS-CHAP.
We use SSH for monitoring things in our ICINGA2 monitoring system and it is quite bad if the useraccount gets always blocked because the NPS means, the user is not authenticated.
Any hints about it?
Kind regards,
Peer-Mario
Re: SSH login against AD and NPS (w2016)
After few more tests I can proofe, the problem exists only with Mikrotik SSH and NPS. (Cisco SSH logins with AD and NPS working like expected)
Webmin,www,telnet with AD and NPS working like expected but SSH.
Any kind of help would be much appreciated.
Kind regards,
Peer-Mario
Webmin,www,telnet with AD and NPS working like expected but SSH.
Any kind of help would be much appreciated.
Kind regards,
Peer-Mario
Re: SSH login against AD and NPS (w2016)
Some more tests and results:
Open SSH Client like putty.
Connect to Mikrotik Router, type in username, hit ENTER.
Result NPS:
Logging Results: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Type in password, hit ENTER
Result NPS:
Logging Results: Accounting information was written to the local log file.
Means, the user logged in to Mikrotik Router
If someone has a procedure how to tell the NPS to wait for the password before " Authentication failed " and prevent the ErrorLog entry, all would be fine.
KR,
Peer-Mario
Open SSH Client like putty.
Connect to Mikrotik Router, type in username, hit ENTER.
Result NPS:
Logging Results: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Type in password, hit ENTER
Result NPS:
Logging Results: Accounting information was written to the local log file.
Means, the user logged in to Mikrotik Router
If someone has a procedure how to tell the NPS to wait for the password before " Authentication failed " and prevent the ErrorLog entry, all would be fine.
KR,
Peer-Mario