Community discussions

MikroTik App
 
abeluko
just joined
Topic Author
Posts: 8
Joined: Tue Oct 26, 2021 3:03 pm

L2TP with Windows Server Radius

Tue Oct 26, 2021 3:13 pm

Hi all.

first of all, sorry for my english, it's a little poor.

well, I have a RB750GL and I trying to conect external clients to VPN using a Windows Server 2012 and Radius, to control users that can and can't connect.

If I try to conect directly with windows client to windows server, all works fine, but if I put between my RB750GL, always say "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

Aparently all is wel configured, but I think some fails...

thanks for all!!
 
abeluko
just joined
Topic Author
Posts: 8
Joined: Tue Oct 26, 2021 3:03 pm

Re: L2TP with Windows Server Radius

Tue Oct 26, 2021 5:18 pm

Hi again...

If i add a "user" in PPP\Secrets, then I can connect:

16:09:42 ipsec,info respond new phase 1 (Identity Protection): 192.168.1.120[500]<=>192.168.1.116[500]
16:09:43 ipsec,info ISAKMP-SA established 192.168.1.120[500]-192.168.1.116[500] spi:5b0ce37769e8ffe2:5a18ebe37ba9279a
16:09:44 l2tp,info first L2TP UDP packet received from 192.168.1.116
16:09:45 l2tp,ppp,info,account abel logged in, 172.26.1.219 from 192.168.1.116
16:09:45 l2tp,ppp,info <l2tp-abel>: authenticated
16:09:45 l2tp,ppp,info <l2tp-abel>: connected

but if I disable the "Secret"...

16:12:26 ipsec,info respond new phase 1 (Identity Protection): 192.168.1.120[500]<=>192.168.1.116[500]
16:12:28 ipsec,info ISAKMP-SA established 192.168.1.120[500]-192.168.1.116[500] spi:35ec61f2a93ccfa5:c617f166a6376f63
16:12:29 l2tp,info first L2TP UDP packet received from 192.168.1.116
16:12:29 l2tp,ppp,error <192.168.1.116>: user abel authentication failed - radius timeout
16:12:29 ipsec,info purging ISAKMP-SA 192.168.1.120[500]<=>192.168.1.116[500] spi=35ec61f2a93ccfa5:c617f166a6376f63.
16:12:29 ipsec,info ISAKMP-SA deleted 192.168.1.120[500]-192.168.1.116[500] spi:35ec61f2a93ccfa5:c617f166a6376f63 rekey:1

If I make ping to Windows Server (Radius) Works fine

[admin@MK] > ping
address: 172.26.1.10
SEQ HOST SIZE TTL TIME STATUS
0 172.26.1.10 56 128 1ms
1 172.26.1.10 56 128 1ms
2 172.26.1.10 56 128 1ms
3 172.26.1.10 56 128 1ms
4 172.26.1.10 56 128 1ms
5 172.26.1.10 56 128 1ms
6 172.26.1.10 56 128 1ms
7 172.26.1.10 56 128 1ms
sent=8 received=8 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=2ms

Could be a Firewall problem??

[admin@MK] /ip firewall filter> print
[admin@MK_TParra] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=accept protocol=udp port=1701,500,4500 log=no log-prefix=""

2 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

4 chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

5 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

6 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=1 WAN

7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

8 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=1 WAN


Thanks for all!!
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: L2TP with Windows Server Radius

Wed Oct 27, 2021 8:28 pm

Where's the radius specific config?
/radius export
Which PPP Profile is L2TP-server using??? Can you export it too?
 
abeluko
just joined
Topic Author
Posts: 8
Joined: Tue Oct 26, 2021 3:03 pm

Re: L2TP with Windows Server Radius

Thu Oct 28, 2021 3:31 pm

Hi Pukkita
/radius
add address=172.26.1.10 secret=123456789 service=ppp src-address=172.26.1.1 timeout=3s
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: L2TP with Windows Server Radius

Sat Oct 30, 2021 9:52 am

Hi abeluko,

I have come across a problem when trying to setup RADIUS authentication using MS Windows Server 2012R2 (It's been fixed in 2016 and 2019). The issue is that even when all of the settings are correct (and the Windows firewall is fully disabled - for testing purposes only) the Windows server does not respond properly or consistently to communication on ports 1812 and 1813. I never did manage to track down a solution to the problem other than to upgrade Server 2012R2 to Server 2019 (We chose to skip Server 2016).

The behaviour that I observed was that either:
  • The server would respond for a short time to port 1812 communication (maybe 5 minutes if I was lucky) and not to port 1813, or
  • The server wouldn't respond on port 1812 but port 1813 was fine.
 
abeluko
just joined
Topic Author
Posts: 8
Joined: Tue Oct 26, 2021 3:03 pm

Re: L2TP with Windows Server Radius

Thu Nov 04, 2021 2:36 pm

Finaly I solve one part of my problem, now I can connect at the VPN L2TP with mikrotik and windows 2012 R2 Server Radius, but now my problem is: the user only can conect to VPN if these user is explicity enabled the dialup properties on AD, if chose let control this with NPS, not connect and in event viewer say the user have the dialup parameter disabled.
But if I connect directly to windows server, without pas by Mikrotik, this work correctly and let de NPS controle by windows groups who can and who can't connect.
Someone know I need to put some extra parameter in NPS configuration to permits to connect to Mikrotik using windows Radius?

Thanks for all!!
 
User avatar
karlisi
Member
Member
Posts: 437
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: L2TP with Windows Server Radius

Fri Nov 05, 2021 8:33 am

This fix helps for Windows Server 2016, but perhaps it helps for 2012 too:

Here’s a fix so that you don’t have to explicitly select allow for all users that you want to connect.
Under NPS configuration in Windows Server 2016:
Under Policies > Network Policies > Virtual Private Network (VPN) Connections (or whatever you named it during setup)
Network connection method (at the bottom of the Overview tab)
Type of Network access server: Default is Remote Access Server (VPN Dial-up)
Change this to Unspecified.

https://mivilisnet.wordpress.com/2019/0 ... mment-7577
 
abeluko
just joined
Topic Author
Posts: 8
Joined: Tue Oct 26, 2021 3:03 pm

L2TP with Windows Server Radius [SOLVED]

Fri Nov 05, 2021 10:51 am

Hi Karlisi

Just yesterday, I found the same solution finding the error number and Mikrotik in Google and I think go to the same post you send me.

Thanks for all!!!!

Who is online

Users browsing this forum: No registered users and 20 guests