Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

external Radius server and mikrotik ???

Tue May 11, 2021 10:59 am

Hi everyone, is mirkortik compatible to be a client of an external Radius server?

I just sing up with jumpcloud.com but cannot get mikrotik to athenticate to their radius server

I have my local radius server and have no issues connecting to it

tried to search on the internet but all the guides talk about the local server but not the cloud one


thank you
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: external Radius server and mikrotik ???

Tue May 11, 2021 11:11 am

What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a 'cloud hosted' Radius server in a different country for ppp auth without issue. Most likely - it is a configuration issue on either your mikrotik or radius server.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: external Radius server and mikrotik ???

Tue May 11, 2021 11:32 am

What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a 'cloud hosted' Radius server in a different country for ppp auth without issue. Most likely - it is a configuration issue on either your mikrotik or radius server.

thank you

/radius
add address=18.182.131.248 secret="sjsdfsdf$cEdfdsfgsdfsdltPGfsdfssdfdsfdsmsdfqfWr232wr3" \
service=login,ipsec timeout=600ms

All I get is:

requests 1,2 - timeouts 1, 2 etc

I tried to use of of the testing tools on wondows and tested authentications of users and it works fine but how do I connect to that radius server via mikotik?

I have ikvev2 server but even for local authentication to mikrotik if that worked i would be happy

Looks like it's a connectivity issue?? I disabled all the firewall rules and same issues
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: external Radius server and mikrotik ???

Tue May 11, 2021 1:32 pm

It works fine against FreeRADIUS.

It could be the RADIUS server does not support the required authentication methods - the JumpCloud documentation says "JumpCloud RaaS servers offer both EAP-TTLS/PAP and PEAP (MSCHAPv2) for authentication", it doesn't indicate if it responds to requests with unsupported authentication methods or silently ignores them.

Since RouterOS v6.43 the login service uses MS-CHAPv2, note this is not the same as PEAP (more correctly PEAPv0/EAP-MSCHAPv2).
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: external Radius server and mikrotik ???

Wed May 12, 2021 12:38 am

@joegoldman

are you using foxpass?
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: external Radius server and mikrotik ???

Wed May 12, 2021 5:36 am

@joegoldman

are you using foxpass?
No I am using Radiator on a cloud hosted Dedicated Server in a different country from most of my routers.

You can run debug radius log to get the packets being sent and any received to really drill down into the problem (And do the same level on the cloud end) this way you can see if its even being received or if its an auth problem etc.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: external Radius server and mikrotik ???

Wed May 12, 2021 10:02 am

600ms timeout ?
Perhaps as a test increase this slightly ?
I'm aware that 600ms is like eternity but still ...

Apart from that, give JumpCall a call/mail and simply ask them ? "Do you guys reply to my radius-client with even if I would me making a invalid request?"
I mean, you have the shared-secret that is correct, I would assume the remote AAA-platform would reply with SOMETHING.

If you make requests with an invalid preshared key offcourse I can imagine the remote platform remains silent...

Also, perhaps try a simple pre-shared key, perhaps there is some bug in RouterOS with such a long key or chars used.

you are sure your IP is not passed by some CGNAT gateway on its way out ? Basically JumpCloud has your correct public IP ?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: external Radius server and mikrotik ???

Wed May 12, 2021 11:23 am

Hello, I used both IBSng and FreeRadius3 there was no problem with RAS.
 
nbctcp
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Tue Sep 16, 2014 7:32 pm

Re: external Radius server and mikrotik ???

Fri Jul 08, 2022 12:21 pm

/interface wireless security-profiles
add authentication-types=wpa2-eap mode=dynamic-keys name=EAP_AP \
supplicant-identity=Mikrotik

You need to set EAP Method=passthrough
Just now test login to mikrotik AP using RADIUS from jumpcloud
What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a 'cloud hosted' Radius server in a different country for ppp auth without issue. Most likely - it is a configuration issue on either your mikrotik or radius server.

thank you

/radius
add address=18.182.131.248 secret="sjsdfsdf$cEdfdsfgsdfsdltPGfsdfssdfdsfdsmsdfqfWr232wr3" \
service=login,ipsec timeout=600ms

All I get is:

requests 1,2 - timeouts 1, 2 etc

I tried to use of of the testing tools on wondows and tested authentications of users and it works fine but how do I connect to that radius server via mikotik?

I have ikvev2 server but even for local authentication to mikrotik if that worked i would be happy

Looks like it's a connectivity issue?? I disabled all the firewall rules and same issues
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: external Radius server and mikrotik ???

Fri Jul 08, 2022 1:23 pm

WiFi authentication is not the issue here. The OP wanted to authenticate logins to the Mikrotik itself which requires the RADIUS server to support plain MS-CHAPv2, not encapsulated EAP
 
neilws
just joined
Posts: 11
Joined: Thu Jul 25, 2013 12:16 pm

Re: external Radius server and mikrotik ???

Fri Jul 22, 2022 4:16 pm

Attempting to achieve the same thing (router admin login & VPN) with some success in JumpCloud.

For "login":
Only authenticates using the JumpCloud "Protect" app via push.
When we try and use the "manual" method (i.e. password + , + TOTP Google/MS Auth etc.. code) it fails with error "mschap: MS-CHAP2-Response is incorrect", so suspect authentication protocol issues.

For "VPN" (ppp & ipsec):
If we set auth on Mikrotik to "pap", then the "manual" method above works.
If we set auth to "MSCHAPv2" then the "manual" route fails.
If we set auth to "MSCHAPv2" and use the JumpCloud "Protect" app via push it works.

Again looks to be authentication protocol incompatibilities. Not advanced beyond that as yet.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: external Radius server and mikrotik ???

Fri Jul 22, 2022 4:49 pm

Along the lines of my earlier post, the JumpCloud RADIUS Server documentation says:
Device or service endpoint that supports RADIUS and either EAP-TTLS/PAP or EAP-PEAP/MSCHAPv2 authentication methods. Simple PAP may also be used, but we highly recommend you use a more secure authentication protocol such as EAP-TTLS/PAP or EAP-PEAP/MSCHAPv2

It does not claim to support plain MSCHAPv2 so Mikrotik login service will not work, nor will PPP-based VPNs using CHAP, MSCHAPv1 or MSCHAPv2. Mikrotik do not support EAP passthough for PPP-based VPNs, but you should be able to use IPsec IKEv2 with the eap-radius authentication method.

Who is online

Users browsing this forum: arm920t, ccrsxx, Google [Bot] and 50 guests