Hello to Everyone,

Been recently fighting with radius on mikrotik. Had to do a lot of digging and connecting different things together so i though to share stuff here. It's not wiki, but maybe someone will find this useful.

Use case: Switch all to radius AAA (wifi, login & VPN) for single mikrotik. RADIUS is connected to AD and we will feed it with users and groups from AD.

Biggest challenge that i had was to figure out the order and setup of the RADIUS policies so i will begin with this. My order of the policies:
1. WiFi - allows windows users to connect to WiFi using WPA2 Enterprise
2. Login - ssh login to the mikrotik
3. VPN - tested with L2VPN and SSTP

Fortunately there is not much to configure in these policies. You do not need anything else than Network Policies, Connection Request Policies are not need. Definitely you need to configure RADIUS client that will have same secret on mikrotik and on RADIUS server.



WiFi policy

Before implementing the policy you need a radius server certificate. It's regular SSL certificate that you can get on the market or generate via mikrotik as self signed. I do not recommend self-signed certs. I recommend to obtain proper one from the market. Do NOT use wildcard certificate. It will not work, use certificate with CNAME set to valid FQDN of the RADIUS server. If you will use untrusted/self-signed certificate you may have to import it or CA for it to your windows computer trusted CA repository.

1. Use windows group, do not use just a "group" for conditions. Chose the one that should provide access to the wifi.
2. Configure NAS Port type: "Wireless - IEEE 802.11"
3. In Constraints use only MS-CHAPv2 and add Microsoft protected EAP (PEAP). On properties select the certificate that will have CNAME that corresponds to your RADIUS server FQDN
4. Leave anything else default

Login policy
In conditions setup:
1. Use windows group, do not use just a "group" for conditions. Chose the one that should provide access to the SSH - typically the admin group.
2. Service type: Login
3. in constraints use only MS-CHAPv2, do not configure any EAP.
4. Add to returned RADIUS attributes vendor specific one with vendor code 14988. attribute code 3, attribute format "string" and attribute value set to the group name on the mikrotik that you want to be returned e.g. "full" for full admin rights. You can customize it if you want and return other name that you have configured on mikrotik.
5. Leave anything else default

VPN policy
1. Use windows group, do not use just a "group" for conditions. Chose the one that should provide access to the SSH - typically the admin group.
2. Service type: Framed
3. NAS port type: Virtual (VPN)
4. in constraints use only MS-CHAPv2, do not configure any EAP.
5. Add to returned RADIUS attributes vendor specific one with vendor code 14988. attribute code 3, attribute format "string" and attribute value set to the VPN profile name on the mikrotik that you want to be returned e.g. "my-admin-sstp-vpn" or "VPN". You can customize it but it must match the one that is configured on mikrotik otherwise service default will be used.
6. Leave anything else default

Rest is easy using Winbox
Setup first RADIUS server in main RADIUS menu. Add new radius with same secret as on radius server and tick ppp (for VPNS), wireless (for wifi), login (for ssh login).
The easierst setup is for the login. using winbox login to the mikrotik navigate System --> users and click AAA. In that menu just click RADIUS and chose default group to which users shall fall in if you will provide incorrect attribute value in return. Leave read to be secure.

For VPNs navigate to ppp--> secrets and click PPP Authentication & Accounting and just select radius. Obviously you need to prepare VPN profiles first. Remember that VPN profile names must match those configured in Radius attributes

For Wireless navigate to Wireless-->Security profiles and setup profile with WPA2 EAP, use AES for encryption. For EAP settings leave default: passtrhough, do not verify certificate (unless you want) and TLS certificate set to none (we do not do mutual auth).

And your done!