Community discussions

MikroTik App
 
luigifanton
just joined
Topic Author
Posts: 1
Joined: Tue Feb 25, 2020 11:43 pm

Freeipa radius ldap backend login

Tue Feb 25, 2020 11:49 pm

Hi,
I'm trying (whitout success) to authenticate mikrotik on radius freeipa server with ldap backend.
Has anyone been successful?
 
mekatum
just joined
Posts: 2
Joined: Sat Jun 27, 2020 10:14 pm

Re: Freeipa radius ldap backend login

Tue Jun 30, 2020 8:35 pm

Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
 
plantaznik
just joined
Posts: 1
Joined: Thu Aug 13, 2020 12:14 pm

Re: Freeipa radius ldap backend login

Thu Aug 13, 2020 12:19 pm

Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
Hi mekatum,

I have the same problem. Newly installed FreeIPA with LDAP + freeradius.
Connections between Huawei, Cisco devices and FreeIPA server over the freeradius is OK but MikroTik doesnt work.

My questions is, how I change FreeIPA hash? Or how I add support NT HASH to my FreeIPA server?

Thank You for help.

Best
Plnt
Last edited by plantaznik on Thu Aug 13, 2020 12:21 pm, edited 1 time in total.
 
yosefko
just joined
Posts: 1
Joined: Sun Mar 04, 2018 5:08 pm

Re: Freeipa radius ldap backend login

Tue Aug 18, 2020 9:08 am

Hi,

we used OpenLDAP with freeRadius and use cleartext pass for Mikrotik and other vendors Cisco, Huawei, Zyxel...
We made similar setup as you "I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.", but we cant authenticate on Mikrotik via this setup.
Please, could you help us in some way?
Thanks.

Yosefko
Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
 
clovehitch
just joined
Posts: 9
Joined: Fri Mar 06, 2020 10:06 pm

Re: Freeipa radius ldap backend login

Wed Feb 10, 2021 12:35 am

I burnt a lot of time trying to get this to work.
- most guides are 5+ years old
- everyone that's giving advice and tips seems to be using different versions
- security issues trying to get this to work

The list kind of just goes on.

If someone could do a write up of all the steps needed for a fresh install of FreeIPA + FreeRADIUS I'm sure a lot of people would find it useful.

I gave up and just made a dedicated RADIUS server for mikrotik logins :(

Who is online

Users browsing this forum: No registered users and 202 guests