AD login with NPS RADIUS, more than 1 access group on more than 1 Mikrotik

pighogg2021 · Thu Nov 11, 2021 5:36 pm

Greetings everyone. Trying to get working RADIUS authentication (login only) on multiple Mikrotik's with Windows Server 2019 NPS with AD user groups.
Say, i got 2 network access policies, each with one of the domain groups in the Conditions named MTadm and MTread, with 'full' and 'read' in Parameters> Vendor-specific> 14988, 3, string parameter.
I want to give these 2 domain group users full and write-only access to all Mikrotik's.
The problem is, whatever network policy i set up, I can login with only 'full' or 'read', depends on which comes first in connection request policies, or default 'read' if no vendor-attribute in CRP is specified. Never both groups the same time. Looks like the AD group parameter is ignored either by Mikrotik or by NPS.

The question is, anyone managed to get working more-than-one security group AD authentication with NPS RADIUS on more-than-one Mikrotik in a single network? Where did i stuck?

Config samples on Windows Server side:

>netsh nps show np
Network Policy Configuration:
-------------------------------------------------- -------
Name = MTadm
Status = Enabled
Processing order = 2
Policy source = 0

State Attributes:

Name Identifier Value
-------------------------------------------------- -------
Condition0 0x1023 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8972"
Condition1 0x1fb5 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8972"

Profile attributes:

Name Identifier Value
-------------------------------------------------- -------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x4"
Vendor-Specific 0x1a "0100003A8C0306full"
Port-Limit 0x3e "0x1"
Service-Type 0x6 "0x1"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"

Network Policy Configuration:
-------------------------------------------------- -------
Name = MTread
Status = Enabled
Processing order = 3
Policy source = 0

State Attributes:

Name Identifier Value
-------------------------------------------------- -------
Condition0 0x1023 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8974"
Condition1 0x1fb5 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8974"

Profile attributes:

Name Identifier Value
-------------------------------------------------- -------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x4"
Vendor-Specific 0x1a "0100003A8C0306read"
Port-Limit 0x3e "0x1"
Service-Type 0x6 "0x1"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"  

>netsh nps show crp
Connection request policy configuration:
-------------------------------------------------- -------
Name = MTadmXX.XXX
Status = Enabled
Processing order = 3
Policy source = 0

State Attributes:

Name Identifier Value
-------------------------------------------------- -------
Condition0 0x4 "192.168.xx.xxx"

Profile attributes:

Name Identifier Value
-------------------------------------------------- -------
Auth-Provider-Type 0x1025 "0x1"
NP-Authentication-Type 0x1009 "0x4"
Override-RAP-Auth 0x1fb0 "TRUE"

On Mikrotik's side everything is straightforward:

/radius
add address=192.168.xx.xxx secret=\
   "somekindofasecret" \
   service=login timeout=600ms
/user aaa
set default-group=read use-radius=yes

pighogg2021 · Fri Nov 12, 2021 1:07 pm

After digging with

/system logging add topics=radius

looks like the problem was not with bad NPS config but with appropriate group not yet applied to user, probably due to not being logged off and on again.
At least it working perfectly with any domain user not logged in anywhere.
Solved.

AD login with NPS RADIUS, more than 1 access group on more than 1 Mikrotik [SOLVED]

AD login with NPS RADIUS, more than 1 access group on more than 1 Mikrotik

Re: AD login with NPS RADIUS, more than 1 access group on more than 1 Mikrotik [SOLVED]

Who is online