Hi all

I just want to ask if anyone found a workaround for devices that are running version before the 6.43 and have winbox login via freeradius and encrypted stored passwords on server side.

We actually have a setup working just fine with Mikrotik and Cisco's devices using freeradius integrated with our Active Directory domain.

Access via Winbox to mikrotiks that run versions after the 6.43 is smooth and fast using the AD protocol MSCHAPv2. For Cisco devices we use hashed stored passwords in the FreeRadius DB to work with PAP.

Our goal is to achieve a solution where we can use Winbox login not just ssh or webfig for all devices in our premises and where all the passwords store on the DB will be encrypted.

Last but not less important thing is that we can not give us the placer to upgrade all mikrotiks to versions gratter than 6.43.

Current Working Enviroment:
- Freeradius 3.0 + postgresql
- Windows Server 2008 Active Directory
- More than 2000 routers running different versions

RouterOS version >= 6.43 and IOS, full access with FreeRadius
RouterOS version < 6.43, only access via ssh and webfig with FreeRadius

Have anyone a suggestion on how we can carry this on?

CHAP, which is used for RADIUS Winbox authentication prior to v6.43, requires plaintext passwords stored on the server.

What is used after 6.43?

MAJOR CHANGES IN v6.43:
!) radius - use MS-CHAPv2 for "login" service authentication;