Community discussions

 
krsz
just joined
Topic Author
Posts: 7
Joined: Fri Aug 25, 2017 3:06 am

Authentication Methods RADIUS VPN WINDOWS SERVER

Sun Jan 27, 2019 1:26 am

Hi everyone.
I have OpenVPN server on Cloud Hosted Router. I use Radius client on the same router to authentication VPN users in Windows Server Active Directory (2016).
But i have problem with Authentication Methods in Network Policies. Windows accepts login only when i check "Unencrypted authentication (PAP, SPAP)".
So it is some problem with my mikrotik configuration, or it this scenario (OVPN server + radius) unencryped is only possible way?
Any help would be great :)

Krzysztof
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 12:45 am

Your RADIUS client is your Mikrotik router? And your RADIUS Server is?
 
krsz
just joined
Topic Author
Posts: 7
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 1:24 am

in Windows Server Active Directory (2016).
Its Windows Server 2016 as my RADIUS SERVER

and yeah... my client is mikrotik ROS
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 3:37 am

Did you turn on 'use radius' in your MT router PPP / Secrets - PPP Authentication&Accounting ?

Good point... turn on radius logging
Last edited by Cvan on Thu Jan 31, 2019 6:29 am, edited 1 time in total.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 4:05 am

@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 6:30 am

@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.
Good point... turn on radius logging
 
krsz
just joined
Topic Author
Posts: 7
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Fri Feb 01, 2019 7:26 pm

For example:

Code: Select all

18:20:47 ovpn,info : using encoding - AES-256-CBC/SHA1
18:20:47 radius,debug new request 1b:05 code=Access-Request service=ppp called-id=xxxxxxx domain=yyyyy
18:20:47 radius,debug sending 1b:05 to xxxxxxx:1812
18:20:47 radius,debug,packet sending Access-Request with id 8 to xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x67458b6bc6237b3269983c6473483366
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet NAS-Port = 15728643
18:20:47 radius,debug,packet NAS-Port-Type = 0
18:20:47 radius,debug,packet User-Name = "xxxxxxx"
18:20:47 radius,debug,packet Calling-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet Called-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet MS-CHAP-Domain = "xxxxxxx"
18:20:47 radius,debug,packet User-Password = 0x5a7172733338706263
18:20:47 radius,debug,packet NAS-Identifier = "R2 CHR"
18:20:47 radius,debug,packet MT-Realm = 0x737a612e6c6f63616c
18:20:47 radius,debug,packet NAS-IP-Address = xxxxxxx
18:20:47 radius,debug,packet received Access-Accept with id 8 from xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x5cbdcbc642ceb53684d075e8f39b93e0
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Class = 0xcf2709e10000013700010200c0a864fe
18:20:47 radius,debug,packet 000000001dbc2e4bcf8d935c01d4ba43
18:20:47 radius,debug,packet 6804ca350000000000000001
18:20:47 radius,debug,packet MS-Link-Utilizatoin-Threshold = 50
18:20:47 radius,debug,packet MS-Link-Drop-Time-Limit = 120
18:20:47 radius,debug,packet MS-MPPE-Encryption-Policy = 2
18:20:47 radius,debug,packet MS-MPPE-Encryption-Type = 14
18:20:47 radius,debug received reply for 1b:05
 
Cvan
Member Candidate
Member Candidate
Posts: 111
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Mon Feb 04, 2019 12:17 am

And what does the event viewer say in the AD/NPS logs on the Windows Server?

Are you specifying the domain attribute on the RADIUS client?

NAS-Port-type should be 5 (Virtual)
 
krsz
just joined
Topic Author
Posts: 7
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Fri Feb 22, 2019 5:50 pm

Are you specifying the domain attribute on the RADIUS client?
No.
NAS-Port-type should be 5 (Virtual)
How i can change it in RouterOS?
 
velonet
just joined
Posts: 2
Joined: Tue Jun 04, 2019 11:22 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Tue Jun 04, 2019 12:05 pm

Hello krsz,

Have you been able to figure out a way to have your Mikrotik sending identification information in a secure fashion to the MS radius server?

I, obviously, encounter the same issue, and it's very frustrating to see messages in the NPS server stating that the user tried to use an authentication method that is not activated when only encrypted authentication is active.

And even more frustrating when you disable encryption (even if it's only in my LAN, I don't want to have clear text password transiting on my network).

Who is online

Users browsing this forum: No registered users and 47 guests