Community discussions

MikroTik App
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Need seamless PEAP authentication ...

Thu Sep 06, 2007 4:32 pm

Hello,

I wanted to introduce MT platform to the new company I work for, but what I really need is seamless authentication in MS environment for our wifi notebook users. By seamless I mean I am not willing to set-up user manager and manually enter users, nor am I willing to set-up CA here and to manually generate/upload certificates to users.

So, the question is simple - where's my PEAP, standard in MS world? Even small linkys we have here can make it. I still hope I am overlooking something, but reading some past messages and googling reveals no satisfactory answer for me.

Thanks,
Petr
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: Need seamless PEAP authentication ...

Thu Sep 06, 2007 5:38 pm

Did you try a security profile with WPA2-EAP and EAP passthrough on your MikroTik access point? In EAP passthrough mode all certificate verfication and PEAP handling are done between the client and the RADIUS server only, so this should work just fine provided that you have the needed Microsoft mojo (MS IAS Radius sitting on the Active Directory, server and client SSL certificates already in place, ...)

--Tom
 
pekr
Member Candidate
Member Candidate
Topic Author
Posts: 138
Joined: Tue Feb 22, 2005 9:05 pm
Location: Czech Republic
Contact:

Re: Need seamless PEAP authentication ...

Fri Sep 07, 2007 2:06 pm

Hi Tom,

thank you very much for your suggestion. We tried it before I posted my request, unfortunatelly we later found out, that our RADIUS is not properly configurated for such option. Now everything works OK.

So, my post is just informative for those who will search this conference in the future - it can be solved and used in MS PEAP environment :-)

Thanks once again,
Petr
 
nikmac
just joined
Posts: 19
Joined: Wed Mar 15, 2006 10:28 am
Location: Greece

Re: Need seamless PEAP authentication ...

Tue Nov 27, 2007 3:35 pm

Hi

I trying to implement same scenario without success.

The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
matching any policy.

I was make the tests with v2.9.27 2.9.49 and 3.0rc10-11, and for authentication
PEAP-MSCHAP-V2 and EAP-TLS (certificates), without luck.
I was make bridge interface with ether1 and wlan1.

Any help i'll appreciated

Thanks nikos
 
nikmac
just joined
Posts: 19
Joined: Wed Mar 15, 2006 10:28 am
Location: Greece

Re: Need seamless PEAP authentication ...

Wed Dec 05, 2007 9:10 am

Hi pekr

Can you tell me how did you make it with PEAP ? In my lab is not working.
I did anything without luck

Thanks nikos
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Need seamless PEAP authentication ...

Wed Dec 05, 2007 9:28 am

nikmac,
>>The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
>>in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
>>matching any policy.

What kind of error you see on RADIUS ?
Do you have correct configuration for RADIUS client and wireless security settings ?
Post your configuration from 'radius print' and 'interface wireless security-profile'.
 
nikmac
just joined
Posts: 19
Joined: Wed Mar 15, 2006 10:28 am
Location: Greece

Re: Need seamless PEAP authentication ...

Wed Dec 05, 2007 11:24 am

Goodmorning sergejs

My configuration in access point is :

[admin@hot-1] /interface wireless security-profiles> print
0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
supplicant-identity="acs-hot-1" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interi
m-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m

1 name="strong-psk" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="acs-hot-1" tls-mode=no-certificates tls-certific
ate=none
static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no
radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group
-key-update=5m

2 name="strong-eap" mode=dynamic-keys authentication-types=wpa-eap,wpa2-eap unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="hotspot-01" eap-methods=passthrough tls-mode=no-
certificates
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=
none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-acc
ounting=no
radius-eap-accounting=yes interim-update=1m radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password radius-mac-caching=
disabled
group-key-update=5m
[admin@hot-1] /interface wireless security-profiles> /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET

0 ppp 192.168.0.117 #$238nikos*)

login
hotspot
wireless
dhcp
[admin@hot-1] /interface wireless security-profiles>

I was try with routeros 2.48-49 and with 3.0rc10 -11. The same thing

My IAS server log entry is same oll the time :

User ccc@domain.com was denied access.
The connection attempt did not match any access policy.
NAS-Port-Type = <not present>
NAP-Port = <not present>

I thing te reason is uknown NAS-Port-Type.
In IAS wireless policy i was put port type Wireless - IEEE 802.11 and Wireless - Other
In other mikrotiks who working like NAS for VPN, there is not problem with IAS.

I don't know how to make attributes for Mikrotik-VSA

Any help appreciated

Thanks nikos

Who is online

Users browsing this forum: domon, hatred, sindy, theonemikrotik and 113 guests