Hello,
I wanted to introduce MT platform to the new company I work for, but what I really need is seamless authentication in MS environment for our wifi notebook users. By seamless I mean I am not willing to set-up user manager and manually enter users, nor am I willing to set-up CA here and to manually generate/upload certificates to users.
So, the question is simple - where's my PEAP, standard in MS world? Even small linkys we have here can make it. I still hope I am overlooking something, but reading some past messages and googling reveals no satisfactory answer for me.
Thanks,
Petr
Re: Need seamless PEAP authentication ...
Did you try a security profile with WPA2-EAP and EAP passthrough on your MikroTik access point? In EAP passthrough mode all certificate verfication and PEAP handling are done between the client and the RADIUS server only, so this should work just fine provided that you have the needed Microsoft mojo (MS IAS Radius sitting on the Active Directory, server and client SSL certificates already in place, ...)
--Tom
--Tom
Re: Need seamless PEAP authentication ...
Hi Tom,
thank you very much for your suggestion. We tried it before I posted my request, unfortunatelly we later found out, that our RADIUS is not properly configurated for such option. Now everything works OK.
So, my post is just informative for those who will search this conference in the future - it can be solved and used in MS PEAP environment
Thanks once again,
Petr
thank you very much for your suggestion. We tried it before I posted my request, unfortunatelly we later found out, that our RADIUS is not properly configurated for such option. Now everything works OK.
So, my post is just informative for those who will search this conference in the future - it can be solved and used in MS PEAP environment
Thanks once again,
Petr
Re: Need seamless PEAP authentication ...
Hi
I trying to implement same scenario without success.
The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
matching any policy.
I was make the tests with v2.9.27 2.9.49 and 3.0rc10-11, and for authentication
PEAP-MSCHAP-V2 and EAP-TLS (certificates), without luck.
I was make bridge interface with ether1 and wlan1.
Any help i'll appreciated
Thanks nikos
I trying to implement same scenario without success.
The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
matching any policy.
I was make the tests with v2.9.27 2.9.49 and 3.0rc10-11, and for authentication
PEAP-MSCHAP-V2 and EAP-TLS (certificates), without luck.
I was make bridge interface with ether1 and wlan1.
Any help i'll appreciated
Thanks nikos
Re: Need seamless PEAP authentication ...
Hi pekr
Can you tell me how did you make it with PEAP ? In my lab is not working.
I did anything without luck
Thanks nikos
Can you tell me how did you make it with PEAP ? In my lab is not working.
I did anything without luck
Thanks nikos
Re: Need seamless PEAP authentication ...
nikmac,
>>The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
>>in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
>>matching any policy.
What kind of error you see on RADIUS ?
Do you have correct configuration for RADIUS client and wireless security settings ?
Post your configuration from 'radius print' and 'interface wireless security-profile'.
>>The AP is forward the credentials to IAS server but with wrong attributes (nothing VALUE
>>in NAS-Port-Type and NAS-port). The IAS server was drop the request because is not
>>matching any policy.
What kind of error you see on RADIUS ?
Do you have correct configuration for RADIUS client and wireless security settings ?
Post your configuration from 'radius print' and 'interface wireless security-profile'.
Re: Need seamless PEAP authentication ...
Goodmorning sergejs
My configuration in access point is :
[admin@hot-1] /interface wireless security-profiles> print
0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
supplicant-identity="acs-hot-1" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interi
m-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m
1 name="strong-psk" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="acs-hot-1" tls-mode=no-certificates tls-certific
ate=none
static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no
radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group
-key-update=5m
2 name="strong-eap" mode=dynamic-keys authentication-types=wpa-eap,wpa2-eap unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="hotspot-01" eap-methods=passthrough tls-mode=no-
certificates
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=
none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-acc
ounting=no
radius-eap-accounting=yes interim-update=1m radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password radius-mac-caching=
disabled
group-key-update=5m
[admin@hot-1] /interface wireless security-profiles> /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp 192.168.0.117 #$238nikos*)
login
hotspot
wireless
dhcp
[admin@hot-1] /interface wireless security-profiles>
I was try with routeros 2.48-49 and with 3.0rc10 -11. The same thing
My IAS server log entry is same oll the time :
User ccc@domain.com was denied access.
The connection attempt did not match any access policy.
NAS-Port-Type = <not present>
NAP-Port = <not present>
I thing te reason is uknown NAS-Port-Type.
In IAS wireless policy i was put port type Wireless - IEEE 802.11 and Wireless - Other
In other mikrotiks who working like NAS for VPN, there is not problem with IAS.
I don't know how to make attributes for Mikrotik-VSA
Any help appreciated
Thanks nikos
My configuration in access point is :
[admin@hot-1] /interface wireless security-profiles> print
0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
supplicant-identity="acs-hot-1" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interi
m-update=0s
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m
1 name="strong-psk" mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="acs-hot-1" tls-mode=no-certificates tls-certific
ate=none
static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no
radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group
-key-update=5m
2 name="strong-eap" mode=dynamic-keys authentication-types=wpa-eap,wpa2-eap unicast-ciphers=tkip,aes-ccm group-ciphers=tkip,aes-ccm
wpa-pre-shared-key="acsh@t2007#$*" wpa2-pre-shared-key="acsh@t2007#$*" supplicant-identity="hotspot-01" eap-methods=passthrough tls-mode=no-
certificates
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=
none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-acc
ounting=no
radius-eap-accounting=yes interim-update=1m radius-mac-format=XX-XX-XX-XX-XX-XX radius-mac-mode=as-username-and-password radius-mac-caching=
disabled
group-key-update=5m
[admin@hot-1] /interface wireless security-profiles> /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp 192.168.0.117 #$238nikos*)
login
hotspot
wireless
dhcp
[admin@hot-1] /interface wireless security-profiles>
I was try with routeros 2.48-49 and with 3.0rc10 -11. The same thing
My IAS server log entry is same oll the time :
User ccc@domain.com was denied access.
The connection attempt did not match any access policy.
NAS-Port-Type = <not present>
NAP-Port = <not present>
I thing te reason is uknown NAS-Port-Type.
In IAS wireless policy i was put port type Wireless - IEEE 802.11 and Wireless - Other
In other mikrotiks who working like NAS for VPN, there is not problem with IAS.
I don't know how to make attributes for Mikrotik-VSA
Any help appreciated
Thanks nikos