Community discussions

MikroTik App
 
krsz
just joined
Topic Author
Posts: 8
Joined: Fri Aug 25, 2017 3:06 am

Authentication Methods RADIUS VPN WINDOWS SERVER

Sun Jan 27, 2019 1:26 am

Hi everyone.
I have OpenVPN server on Cloud Hosted Router. I use Radius client on the same router to authentication VPN users in Windows Server Active Directory (2016).
But i have problem with Authentication Methods in Network Policies. Windows accepts login only when i check "Unencrypted authentication (PAP, SPAP)".
So it is some problem with my mikrotik configuration, or it this scenario (OVPN server + radius) unencryped is only possible way?
Any help would be great :)

Krzysztof
 
Cvan
Member Candidate
Member Candidate
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 12:45 am

Your RADIUS client is your Mikrotik router? And your RADIUS Server is?
 
krsz
just joined
Topic Author
Posts: 8
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 1:24 am

in Windows Server Active Directory (2016).
Its Windows Server 2016 as my RADIUS SERVER

and yeah... my client is mikrotik ROS
 
Cvan
Member Candidate
Member Candidate
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 3:37 am

Did you turn on 'use radius' in your MT router PPP / Secrets - PPP Authentication&Accounting ?

Good point... turn on radius logging
Last edited by Cvan on Thu Jan 31, 2019 6:29 am, edited 1 time in total.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 4:05 am

@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.
 
Cvan
Member Candidate
Member Candidate
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Jan 31, 2019 6:30 am

@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.
Good point... turn on radius logging
 
krsz
just joined
Topic Author
Posts: 8
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Fri Feb 01, 2019 7:26 pm

For example:

Code: Select all

18:20:47 ovpn,info : using encoding - AES-256-CBC/SHA1
18:20:47 radius,debug new request 1b:05 code=Access-Request service=ppp called-id=xxxxxxx domain=yyyyy
18:20:47 radius,debug sending 1b:05 to xxxxxxx:1812
18:20:47 radius,debug,packet sending Access-Request with id 8 to xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x67458b6bc6237b3269983c6473483366
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet NAS-Port = 15728643
18:20:47 radius,debug,packet NAS-Port-Type = 0
18:20:47 radius,debug,packet User-Name = "xxxxxxx"
18:20:47 radius,debug,packet Calling-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet Called-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet MS-CHAP-Domain = "xxxxxxx"
18:20:47 radius,debug,packet User-Password = 0x5a7172733338706263
18:20:47 radius,debug,packet NAS-Identifier = "R2 CHR"
18:20:47 radius,debug,packet MT-Realm = 0x737a612e6c6f63616c
18:20:47 radius,debug,packet NAS-IP-Address = xxxxxxx
18:20:47 radius,debug,packet received Access-Accept with id 8 from xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x5cbdcbc642ceb53684d075e8f39b93e0
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Class = 0xcf2709e10000013700010200c0a864fe
18:20:47 radius,debug,packet 000000001dbc2e4bcf8d935c01d4ba43
18:20:47 radius,debug,packet 6804ca350000000000000001
18:20:47 radius,debug,packet MS-Link-Utilizatoin-Threshold = 50
18:20:47 radius,debug,packet MS-Link-Drop-Time-Limit = 120
18:20:47 radius,debug,packet MS-MPPE-Encryption-Policy = 2
18:20:47 radius,debug,packet MS-MPPE-Encryption-Type = 14
18:20:47 radius,debug received reply for 1b:05
 
Cvan
Member Candidate
Member Candidate
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Mon Feb 04, 2019 12:17 am

And what does the event viewer say in the AD/NPS logs on the Windows Server?

Are you specifying the domain attribute on the RADIUS client?

NAS-Port-type should be 5 (Virtual)
 
krsz
just joined
Topic Author
Posts: 8
Joined: Fri Aug 25, 2017 3:06 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Fri Feb 22, 2019 5:50 pm

Are you specifying the domain attribute on the RADIUS client?
No.
NAS-Port-type should be 5 (Virtual)
How i can change it in RouterOS?
 
velonet
just joined
Posts: 3
Joined: Tue Jun 04, 2019 11:22 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Tue Jun 04, 2019 12:05 pm

Hello krsz,

Have you been able to figure out a way to have your Mikrotik sending identification information in a secure fashion to the MS radius server?

I, obviously, encounter the same issue, and it's very frustrating to see messages in the NPS server stating that the user tried to use an authentication method that is not activated when only encrypted authentication is active.

And even more frustrating when you disable encryption (even if it's only in my LAN, I don't want to have clear text password transiting on my network).
 
tarmof
just joined
Posts: 2
Joined: Fri Dec 15, 2017 12:36 pm

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Sun Feb 09, 2020 3:06 pm

Same problem here.
Have anyone found solution?
 
TRNX
just joined
Posts: 5
Joined: Thu Sep 10, 2020 9:27 am
Location: Czech

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Thu Sep 10, 2020 9:31 am

Hello. I have the same problem. Can´t authenticate OpenVPN via RADIUS if I didn´t allow PAP in NPS :/ If I allow using PAP everything works perfect.
Still no solution?
Last edited by TRNX on Thu Sep 10, 2020 3:04 pm, edited 1 time in total.
 
xeonforcecz
just joined
Posts: 4
Joined: Tue Jul 16, 2019 1:16 pm

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Wed Sep 15, 2021 4:31 pm

I have the same "problem". When using L2TP there is posiible to use mschap, but i guess that is thanks to setting under PPP -> L2TP server -> Authentication. There is no such setting when using OVPN which then causes unsecure radius verification.

@mikrotik could you give us a hint how to sanitize this?
 
Rbo
just joined
Posts: 1
Joined: Sun Feb 06, 2022 9:19 pm

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Sun Feb 06, 2022 9:23 pm

Same for me.
Would be nice if someone shed the light on this topic.
Maybe its the only one avaliable method of auth for ovpn in Radius.
 
nevolex
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Mon Sep 11, 2023 11:45 am

I have the same issue, I can't believe this wouldn't support anything else but pap in openvpn configuration, will send an email to mikrotik to double check
 
velonet
just joined
Posts: 3
Joined: Tue Jun 04, 2019 11:22 am

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Mon Sep 11, 2023 11:49 am

I have the same issue, I can't believe this wouldn't support anything else but pap in openvpn configuration, will send an email to mikrotik to double check
Cool. Let us know what they say.
 
nevolex
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Tue Sep 12, 2023 3:42 pm

I have the same issue, I can't believe this wouldn't support anything else but pap in openvpn configuration, will send an email to mikrotik to double check
Cool. Let us know what they say.
Sadly but true, they confirmed that ROS only supports PAP auth mode for Radius Authentication for OpenVPN

Who is online

Users browsing this forum: No registered users and 61 guests