Page 1 of 1

Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Sun Jan 27, 2019 1:26 am
by krsz
Hi everyone.
I have OpenVPN server on Cloud Hosted Router. I use Radius client on the same router to authentication VPN users in Windows Server Active Directory (2016).
But i have problem with Authentication Methods in Network Policies. Windows accepts login only when i check "Unencrypted authentication (PAP, SPAP)".
So it is some problem with my mikrotik configuration, or it this scenario (OVPN server + radius) unencryped is only possible way?
Any help would be great :)

Krzysztof

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Thu Jan 31, 2019 12:45 am
by Cvan
Your RADIUS client is your Mikrotik router? And your RADIUS Server is?

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Thu Jan 31, 2019 1:24 am
by krsz
in Windows Server Active Directory (2016).
Its Windows Server 2016 as my RADIUS SERVER

and yeah... my client is mikrotik ROS

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Thu Jan 31, 2019 3:37 am
by Cvan
Did you turn on 'use radius' in your MT router PPP / Secrets - PPP Authentication&Accounting ?

Good point... turn on radius logging

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Thu Jan 31, 2019 4:05 am
by vecernik87
@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Thu Jan 31, 2019 6:30 am
by Cvan
@cvan: He clearly has working radius, if the "unencrypted authentication" is enabled in Windows Server Network Policy, therefore he must have this "use radius" setting enabled in ROS.

@krsz: Hi, tried to replicate it and ended up with same situation - OVPN does not work without enabled "unencrypted authentication".
I can still use ROS Login via RADIUS even without "unencrypted authentication", therefore I the connection in general works.
disclaimer: I never used OVPN and don't really know how does authentication in this protocol work. I just tried quickly replicate it, to see if it is something specific to your config or no. Sorry I couldn't bring some solution.
Good point... turn on radius logging

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Fri Feb 01, 2019 7:26 pm
by krsz
For example:

Code: Select all

18:20:47 ovpn,info : using encoding - AES-256-CBC/SHA1
18:20:47 radius,debug new request 1b:05 code=Access-Request service=ppp called-id=xxxxxxx domain=yyyyy
18:20:47 radius,debug sending 1b:05 to xxxxxxx:1812
18:20:47 radius,debug,packet sending Access-Request with id 8 to xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x67458b6bc6237b3269983c6473483366
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet NAS-Port = 15728643
18:20:47 radius,debug,packet NAS-Port-Type = 0
18:20:47 radius,debug,packet User-Name = "xxxxxxx"
18:20:47 radius,debug,packet Calling-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet Called-Station-Id = "xxxxxxx"
18:20:47 radius,debug,packet MS-CHAP-Domain = "xxxxxxx"
18:20:47 radius,debug,packet User-Password = 0x5a7172733338706263
18:20:47 radius,debug,packet NAS-Identifier = "R2 CHR"
18:20:47 radius,debug,packet MT-Realm = 0x737a612e6c6f63616c
18:20:47 radius,debug,packet NAS-IP-Address = xxxxxxx
18:20:47 radius,debug,packet received Access-Accept with id 8 from xxxxxxx:1812
18:20:47 radius,debug,packet Signature = 0x5cbdcbc642ceb53684d075e8f39b93e0
18:20:47 radius,debug,packet Framed-Protocol = 1
18:20:47 radius,debug,packet Service-Type = 2
18:20:47 radius,debug,packet Class = 0xcf2709e10000013700010200c0a864fe
18:20:47 radius,debug,packet 000000001dbc2e4bcf8d935c01d4ba43
18:20:47 radius,debug,packet 6804ca350000000000000001
18:20:47 radius,debug,packet MS-Link-Utilizatoin-Threshold = 50
18:20:47 radius,debug,packet MS-Link-Drop-Time-Limit = 120
18:20:47 radius,debug,packet MS-MPPE-Encryption-Policy = 2
18:20:47 radius,debug,packet MS-MPPE-Encryption-Type = 14
18:20:47 radius,debug received reply for 1b:05

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Mon Feb 04, 2019 12:17 am
by Cvan
And what does the event viewer say in the AD/NPS logs on the Windows Server?

Are you specifying the domain attribute on the RADIUS client?

NAS-Port-type should be 5 (Virtual)

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Fri Feb 22, 2019 5:50 pm
by krsz
Are you specifying the domain attribute on the RADIUS client?
No.
NAS-Port-type should be 5 (Virtual)
How i can change it in RouterOS?

Re: Authentication Methods RADIUS VPN WINDOWS SERVER

Posted: Tue Jun 04, 2019 12:05 pm
by velonet
Hello krsz,

Have you been able to figure out a way to have your Mikrotik sending identification information in a secure fashion to the MS radius server?

I, obviously, encounter the same issue, and it's very frustrating to see messages in the NPS server stating that the user tried to use an authentication method that is not activated when only encrypted authentication is active.

And even more frustrating when you disable encryption (even if it's only in my LAN, I don't want to have clear text password transiting on my network).