Community discussions

MikroTik App
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

EAP authentication for PPP

Wed Mar 17, 2021 12:25 pm

Greetings,

I am working on a authentication solution for VPNs to our Mikrotik devices. The configuration uses an external RADIUS server (NPS) which Mikrotik talks to to authenticate against our cloud Active Directory (Azure AD Domain Services). I got it to work with MS-CHAPv2 but it seems that Mikrotik doesn't support EAP authentication for the PPP service.

Am I missing something or is there really no support for EAP with VPN authentication? Seems like quite a security risk to only support MS-CHAPv2 as the best authentication protocol, since it was cracked quite a few years ago.
 
breili
just joined
Posts: 13
Joined: Thu Jan 27, 2011 11:09 am

Re: EAP authentication for PPP

Thu Jul 27, 2023 10:00 am

Hi,
I got it to work with MS-CHAPv2 but it seems that Mikrotik doesn't support EAP authentication for the PPP service
Did you find out any more on this subject?

I've hit the same just for sstp. The remote sstp server only accepts EAP (0xc227) as authentication option while ROS sstp-client seems not to support that (couldn't find any option for ppp-client either).
(the other unrelated issue is that ROS sstp-client only supports ssl3 ciphers meaning that an properly configured remote allowing tls1.2 only including ciphers will fail tls setop -- I worked around that with a socat container).

I verified that the linux sstp-client/pppd works fine with this specific remote if selecting EAP for auth.

Thank you,
Andre
 
RiFF
newbie
Posts: 35
Joined: Sun Apr 29, 2018 9:35 pm

Re: EAP authentication for PPP

Thu Jul 27, 2023 10:51 am

To my knowledge, if you want to use EAP authentication on VPN connections, MikroTik currently supports it only in the IPsec protocol (it also works with NPS and the AZURE plugin)

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 59 guests