IKEv2 + NPS as RADIUS problem

osiris1636 · Tue Aug 23, 2022 1:38 pm

Hello,

Looking to move away from L2TP/IPsec in favor of IKEv2 for my infrastructure and I need your advice, since hours and hours of searching online got me nowhere.

Infrastructure consists of an Active Dir, an internal PKI (AD CS) and an NPS server which acts as RADIUS for current wireless and L2TP/IPsec clients. Currently trying to figure out whether RouterOS is capable of working along with NPS to authenticate IKEv2 clients by using only certificates with the eap-radius auth method.
My router has a signed cert with the key imported (signed by AD CS), also the root CA cert imported (both are configured to be presented to clients in IPsec identity cfg), Windows clients have their own device certificates and they trust root CA, auth method is configured as eap-radius and the NPS server is set as a RADIUS server. When clients connect to the router, they present their device cert but then... it ends there. RouterOS doesn't forward client cert to NPS (nothing in logs) and just gives a "identity not found for peer:" message in logs and kills the connection. I suspect that it tried to search for that cert in it's own cert storage and failed since client certs are not there, but wouldn't that defeat the whole purpose of the eap-radius if we need to manually import all client certs to RouterOS?

So my main question is - does RouterOS support IKEv2 certificate-only auth for clients with a Windows NPS as a RADIUS server?

emils · Tue Aug 23, 2022 4:26 pm

Definitely should be possible to configure. Please post debug logs from the connection attempt (you can enable them in System Logging menu - topics=ipsec,!packet) as well as the IPsec Identity configuration.

osiris1636 · Tue Aug 23, 2022 6:54 pm

Definitely should be possible to configure. Please post debug logs from the connection attempt (you can enable them in System Logging menu - topics=ipsec,!packet) as well as the IPsec Identity configuration.

Here's the log. Trimmed some packet data and replaced a few variables with <info>

17:53:30 ipsec,debug ===== received 1104 bytes from <windows client ip>[30176] to <VPN server IP>[500] 

17:53:30 ipsec -> ike2 request, exchange: SA_INIT:0 <windows client ip>[30176] 9957669d0684d48e:0000000000000000 
17:53:30 ipsec ike2 respond 
17:53:30 ipsec payload seen: SA (736 bytes) 
17:53:30 ipsec payload seen: KE (136 bytes) 
17:53:30 ipsec payload seen: NONCE (52 bytes) 
17:53:30 ipsec payload seen: NOTIFY (8 bytes) 
17:53:30 ipsec payload seen: NOTIFY (28 bytes) 
17:53:30 ipsec payload seen: NOTIFY (28 bytes) 
17:53:30 ipsec payload seen: VID (24 bytes) 
17:53:30 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 
17:53:30 ipsec payload seen: VID (20 bytes) 
17:53:30 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 
17:53:30 ipsec payload seen: VID (20 bytes) 
17:53:30 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 
17:53:30 ipsec payload seen: VID (24 bytes) 
17:53:30 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 
17:53:30 ipsec processing payload: NONCE 
17:53:30 ipsec processing payload: SA 
17:53:30 ipsec IKE Protocol: IKE 
17:53:30 ipsec  proposal #1 
17:53:30 ipsec   enc: 3des-cbc 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   auth: sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #2 
17:53:30 ipsec   enc: 3des-cbc 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   auth: sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #3 
17:53:30 ipsec   enc: 3des-cbc 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   auth: sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #4 
17:53:30 ipsec   enc: aes128-cbc 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   auth: sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #5 
17:53:30 ipsec   enc: aes128-cbc 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   auth: sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #6 
17:53:30 ipsec   enc: aes128-cbc 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   auth: sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #7 
17:53:30 ipsec   enc: aes192-cbc 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   auth: sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #8 
17:53:30 ipsec   enc: aes192-cbc 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   auth: sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #9 
17:53:30 ipsec   enc: aes192-cbc 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   auth: sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #10 
17:53:30 ipsec   enc: aes256-cbc 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   auth: sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #11 
17:53:30 ipsec   enc: aes256-cbc 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   auth: sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #12 
17:53:30 ipsec   enc: aes256-cbc 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   auth: sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #13 
17:53:30 ipsec   enc: aes128-gcm 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #14 
17:53:30 ipsec   enc: aes128-gcm 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #15 
17:53:30 ipsec   enc: aes128-gcm 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #16 
17:53:30 ipsec   enc: aes256-gcm 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #17 
17:53:30 ipsec   enc: aes256-gcm 
17:53:30 ipsec   prf: hmac-sha256 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec  proposal #18 
17:53:30 ipsec   enc: aes256-gcm 
17:53:30 ipsec   prf: hmac-sha384 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec matched proposal: 
17:53:30 ipsec  proposal #1 
17:53:30 ipsec   enc: 3des-cbc 
17:53:30 ipsec   prf: hmac-sha1 
17:53:30 ipsec   auth: sha1 
17:53:30 ipsec   dh: modp1024 
17:53:30 ipsec processing payload: KE 
17:53:30 ipsec,debug => shared secret (size 0x80) 

17:53:30 ipsec adding payload: SA 
17:53:30 ipsec,debug => (size 0x2c) 

17:53:30 ipsec adding payload: KE 
17:53:30 ipsec,debug => (size 0x88) 

17:53:30 ipsec adding payload: NONCE 
17:53:30 ipsec,debug => (size 0x1c) 
17:53:30 ipsec,debug 0000001c 763228b7 859c5f6a bdef748e c567531f 56ab8ac6 f99a4de4 
17:53:30 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
17:53:30 ipsec,debug => (size 0x1c) 
17:53:30 ipsec,debug 0000001c 00004004 f0d1bbb0 9482d884 8a9493f3 2e66c79d 8318039a 
17:53:30 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
17:53:30 ipsec,debug => (size 0x1c) 
17:53:30 ipsec,debug 0000001c 00004005 203502d3 6053e3d4 b6bb2f4b 719a5d19 1869c1bc 
17:53:30 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
17:53:30 ipsec,debug => (size 0x8) 
17:53:30 ipsec,debug 00000008 0000402e 
17:53:30 ipsec adding payload: CERTREQ 
17:53:30 ipsec,debug => (size 0x5) 
17:53:30 ipsec,debug 00000005 04 
17:53:30 ipsec <- ike2 reply, exchange: SA_INIT:0 <windows client ip>[30176] 9957669d0684d48e:4de4511a30bd32f7 
17:53:30 ipsec,debug ===== sending 305 bytes from <VPN server IP>[500] to <windows client ip>[30176] 
17:53:30 ipsec,debug 1 times of 305 bytes message will be sent to <windows client ip>[30176] 

17:53:30 ipsec,debug => skeyseed (size 0x14) 
17:53:30 ipsec,debug 4e8ec4ec 0542388e 990f0b24 15a7d0ed 0f1cd503 
17:53:30 ipsec,debug => keymat (size 0x14) 
17:53:30 ipsec,debug 4db389e8 bfc04383 cad199e0 324d5544 45f3c8ce 
17:53:30 ipsec,debug => SK_ai (size 0x14) 
17:53:30 ipsec,debug d9c3770c 05b4ef13 070ab441 bbdce288 5f45a5a2 
17:53:30 ipsec,debug => SK_ar (size 0x14) 
17:53:30 ipsec,debug 76049c5f e93a245b ddc91d31 5727f022 52c63d8e 
17:53:30 ipsec,debug => SK_ei (size 0x18) 
17:53:30 ipsec,debug d5285658 74020701 84f0e64d 698fd137 812b2718 6837e23d 
17:53:30 ipsec,debug => SK_er (size 0x18) 
17:53:30 ipsec,debug 2214b556 37925335 b8671f19 c9d71c6a d5891553 0366e201 
17:53:30 ipsec,debug => SK_pi (size 0x14) 
17:53:30 ipsec,debug 84597a9a 0f5a9fa9 4898aabd 0f21b4c6 b9453694 
17:53:30 ipsec,debug => SK_pr (size 0x14) 
17:53:30 ipsec,debug 47539c5e 0eb9db3e 8a8ad97d 38912c2c 6a2ccfd4 
17:53:30 ipsec,info new ike2 SA (R): ipsec-IKEv2 <VPN server IP>[500]-<windows client ip>[30176] spi:4de4511a30bd32f7:9957669d0684d48e 
17:53:30 ipsec processing payloads: VID 
17:53:30 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
17:53:30 ipsec processing payloads: NOTIFY 
17:53:30 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
17:53:30 ipsec   notify: NAT_DETECTION_SOURCE_IP 
17:53:30 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
17:53:30 ipsec (NAT-T) REMOTE  
17:53:30 ipsec KA list add: <VPN server IP>[4500]-><windows client ip>[30176] 
17:53:30 ipsec fragmentation negotiated 
17:53:31 ipsec,debug ===== received 568 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec peer ports changed: 30176 -> 30174 
17:53:31 ipsec KA remove: <VPN server IP>[4500]-><windows client ip>[30176] 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30176] (in_use=2) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30176] (in_use=1) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30176] (in_use=1) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30176] (in_use=1) 
17:53:31 ipsec,debug KA removing this one... 
17:53:31 ipsec KA list add: <VPN server IP>[4500]-><windows client ip>[30174] 
17:53:31 ipsec payload seen: SKF (540 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug f9733486 d631bf46 
17:53:31 ipsec,debug decrypted fragment 1 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0x1f8) 

17:53:31 ipsec,debug need more fragments 
17:53:31 ipsec,debug ===== received 568 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec payload seen: SKF (540 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug e42cc098 573a318a 
17:53:31 ipsec,debug decrypted fragment 2 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0x1f8) 

17:53:31 ipsec,debug need more fragments 
17:53:31 ipsec,debug ===== received 568 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec payload seen: SKF (540 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug a3f02ae5 47a268fa 
17:53:31 ipsec,debug decrypted fragment 3 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0x1f8) 

17:53:31 ipsec,debug need more fragments 
17:53:31 ipsec,debug ===== received 568 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec payload seen: SKF (540 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug 3bd7df66 6ff0437b 
17:53:31 ipsec,debug decrypted fragment 4 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0x1f8) 

17:53:31 ipsec,debug need more fragments 
17:53:31 ipsec,debug ===== received 568 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec payload seen: SKF (540 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug 0d565343 8e79c9c8 
17:53:31 ipsec,debug decrypted fragment 5 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0x1f8) 

17:53:31 ipsec,debug need more fragments 
17:53:31 ipsec,debug ===== received 304 bytes from <windows client ip>[30174] to <VPN server IP>[4500] 

17:53:31 ipsec -> ike2 request, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec payload seen: SKF (276 bytes) 
17:53:31 ipsec processing payload: ENC (not found) 
17:53:31 ipsec processing payload: SKF 
17:53:31 ipsec,debug => iv (size 0x8) 
17:53:31 ipsec,debug 6cac02ea 2fb308d8 
17:53:31 ipsec,debug decrypted fragment 6 out of 6 
17:53:31 ipsec,debug,packet => plain fragment (size 0xf4) 

17:53:31 ipsec,debug reassembling fragments 
17:53:31 ipsec,debug,packet => decrypted packet (size 0xae8) 

17:53:31 ipsec payload seen: ID_I (46 bytes) 
17:53:31 ipsec payload seen: CERT (1405 bytes) 
17:53:31 ipsec payload seen: CERTREQ (685 bytes) 
17:53:31 ipsec payload seen: AUTH (264 bytes) 
17:53:31 ipsec payload seen: NOTIFY (8 bytes) 
17:53:31 ipsec payload seen: CONFIG (36 bytes) 
17:53:31 ipsec payload seen: SA (192 bytes) 
17:53:31 ipsec payload seen: TS_I (64 bytes) 
17:53:31 ipsec payload seen: TS_R (64 bytes) 
17:53:31 ipsec processing payloads: NOTIFY 
17:53:31 ipsec   notify: MOBIKE_SUPPORTED 
17:53:31 ipsec ike auth: respond 
17:53:31 ipsec processing payload: ID_I 
17:53:31 ipsec ID_I (DER DN): <Windows client machine fqdn> 
17:53:31 ipsec processing payload: ID_R (not found) 
17:53:31 ipsec processing payload: AUTH 
17:53:31 ipsec processing payload: CERT 
17:53:31 ipsec got CERT: <Windows client machine fqdn> 
17:53:31 ipsec,debug => certificate (size 0x578) 

17:53:31 ipsec,error identity not found for peer: DER DN: <Windows client machine fqdn> 
17:53:31 ipsec reply notify: AUTHENTICATION_FAILED 
17:53:31 ipsec adding notify: AUTHENTICATION_FAILED 
17:53:31 ipsec,debug => (size 0x8) 
17:53:31 ipsec,debug 00000008 00000018 
17:53:31 ipsec <- ike2 reply, exchange: AUTH:1 <windows client ip>[30174] 9957669d0684d48e:4de4511a30bd32f7 
17:53:31 ipsec,debug,packet => outgoing plain packet (size 0x24) 
17:53:31 ipsec,debug,packet 9957669d 0684d48e 4de4511a 30bd32f7 29202320 00000001 00000024 00000008 
17:53:31 ipsec,debug,packet 00000018 
17:53:31 ipsec adding payload: ENC 
17:53:31 ipsec,debug => (size 0x38) 
17:53:31 ipsec,debug 29000038 68830be0 609ed7d7 f32bdb0e b07c8b2f bfe182fc ec0b82b8 9e8b29ec 
17:53:31 ipsec,debug 6c4abe90 f53a9d1b 6c3b1968 5cb869fe 8defc1ed 6627eeb2 
17:53:31 ipsec,debug ===== sending 84 bytes from <VPN server IP>[4500] to <windows client ip>[30174] 
17:53:31 ipsec,debug 1 times of 88 bytes message will be sent to <windows client ip>[30174] 
17:53:31 ipsec,debug,packet 9957669d 0684d48e 4de4511a 30bd32f7 2e202320 00000001 00000054 29000038 
17:53:31 ipsec,debug,packet 68830be0 609ed7d7 f32bdb0e b07c8b2f bfe182fc ec0b82b8 9e8b29ec 6c4abe90 
17:53:31 ipsec,debug,packet f53a9d1b 6c3b1968 1615eb34 6ff63153 ff394c4c 
17:53:31 ipsec,info killing ike2 SA: ipsec-IKEv2 <VPN server IP>[4500]-<windows client ip>[30174] spi:4de4511a30bd32f7:9957669d0684d48e 
17:53:31 ipsec KA remove: <VPN server IP>[4500]-><windows client ip>[30174] 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30174] (in_use=2) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30174] (in_use=1) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30174] (in_use=1) 
17:53:31 ipsec,debug KA tree dump: <VPN server IP>[4500]-><windows client ip>[30174] (in_use=1)

sindy · Tue Aug 23, 2022 11:37 pm

Here's the log.

@emils asked also for the export of /ip ipsec identity.

osiris1636 · Wed Aug 24, 2022 2:10 pm

Sorry, sending:

add auth-method=eap-radius certificate="MIkrotik v2 IKE" generate-policy=\
    port-strict mode-config="IKEv2 VPN cfg" peer=ipsec-IKEv2 \
    policy-template-group=IKEv2-VPN

The above mentioned certificate has a private key imported and the issuing CA is the same one which issues client machine certs that are presented to Mikrotik when connecting via IKE2.
Own and Remote ID set to auto in GUI

osiris1636 · Sat Sep 03, 2022 2:49 pm

A small update on the matter. Seems like this issue happens only when the user VPN profile is set to present the device cert. User certs do work and get passed to NPS, even though both device and user certs are issued by the same CA. The only difference I've found so far is that we have a specific user cert that has "Enterprise VPN" set in application policies, whereas the device cert does not. No idea if RouterOS checks these policies when it determines whether to pass the cert to RADIUS or not during the IKEv2 authentication process, will post an update on this when I have time.

Wooferguy · Wed Oct 26, 2022 4:38 pm

Keen to bump this one.
I am experiencing the same problem using a similar setup and client type. When using auth-method=eap-radius, the identity is not found for for the peer DER DN - and as far as I can tell no requests are sent to the RADIUS server. Curiously when I use auth-method=digital-signature and specify individual clients and their matching certificates, my connections are established. But I think I can point to the setting that makes it work.

Sindy recently solved this one:
viewtopic.php?t=183794
But the key difference is the clients authenticated using username and password, hence their identity was matched by remote ID and passed to RADIUS.

And Sindy again here back in 2020:
viewtopic.php?t=159317

The answer is the match-by=certificate setting in the /ip ipsec identity rows. With this setting, the 'Tik acting as IPsec responder uses the received certificate to match through the rows of the identity table and ignores the ID_I field from the IPsec initiator.

But in this case the Mikrotik handled the EAP side locally - no RADIUS server was used.

The trouble is, when using auth-method=eap-radius, we cannot specify match-by=certificate. Makes sense, we don't even point to a client certificate to match in the identity since we expect it to be passed to and handled by the RADIUS server. But IPSec still tries to match to something!!! I am seriously wondering if we are looking at a bug. I would love to be proven wrong.

In the meantime if you're willing to export all of your certificates over to the Mikrotik and build individual identities, this post gives config that works without the use of a RADIUS server. Just sub in your own certs.
viewtopic.php?t=175656

sindy · Thu Oct 27, 2022 9:45 am

But IPSec still tries to match to something!!! I am seriously wondering if we are looking at a bug.

The question is whether the initiator identifies itself by any useful ID_I (a private IP address is not useful because it is usually unpredictable). There seems to be no possibility to use any kind of wildcard for identity matching, but there is an ignore option for the remote-id. So maybe (I've got no way to test that) this is the way to make ROS choose that identity row when the received ID_I is useless?

If this doesn't work, look into the log what ID_I the initiator is sending.

Wooferguy · Fri Oct 28, 2022 12:10 am

Thanks for the suggestions, I have tried to set ignore for remote ID type - it seems to make to no difference when trying to connect. Crucially it makes no difference to the logs either, and I still see nobtraffic being passed to the RADIUS server. The manual suggests that in auto all ID types are accepted, and that ignore simply skips a verification step.

In my case rather than ID_I being a Microsoft fqdn, I see the subject contents of the passed client certificate, as in:

ID_I (DER DN): CN=xxx,C=NZ,ST=....

Looking at a training seminar titled "MIKROTIK USER MEETING BUCHAREST –ROMANIA, OCTOBER 29, 2018", one of the slides makes this point:

•Current limitation: only PAP is supported for RouterOS RADIUS Ipsec

That would slow us down... Since this was almost 4 years ago to the day, perhaps we have overcome this limitation? This was during a time when the branch IPsec identity didn't exist afterall.

Wooferguy · Sat Oct 29, 2022 2:12 pm

I stand corrected!! @minfrin has allegedly solved this back in February 2018, using RouterOS 6.41.2:
viewtopic.php?t=131469

Very interested to know if this still works, as config didn't use /ip ipsec identity until 6.44 in February of 2019.

IKEv2 + NPS as RADIUS problem

IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Re: IKEv2 + NPS as RADIUS problem

Who is online