Hi,
I have an RB4011 as our main router. We have setup an SSTP VPN and this is working really well.
We also have Hotspot setup for our authenticated WiFi, which uses RADIUS to authenticate users against our Active Directory… again working really well.

I can see that it’s possible to authenticate PPP users using the Radius (and I have enabled this), but it seems for the SSTP VPN users, we have to manually create a secret for each user.
If it possible to authenticate SSTP Users via Radius at all or is the PPP/Radius limited only to PPPoE (something I read online seemed to point at this, but wasn’t amazingly clear).
I think we have all the pieces setup to be able to do this, if it’s possible.

Thanks

Colin

Yes. It is possible. I use this with WS 2022 but I also had it working on SBS2011 (which is just bundled WS2008r2)
You need to make sure that

• your PPP setup allows using radius (in ppp/secrets)
• your radius profile in mikrotik is allowed to be used for ppp service
• your server accepts radius requests with the same encryption as used for SSTP

That's from memory all main steps which I had to do. I had some issues as well but all I had to do was follow the breadcrumbs in logs and see mikrotik radius requests and answers from the server.
Thats all.. I have two entries intentionally because user can log in with or From the log, you should see if the radius gets called or not and what is the result. Temporarily enable logging for all radius messages with and see whats going on:

Typically, you may see "no radius server found". That most of the time means your domain does not match with what user requested. When the radius server is found but times out, either the IP is incorrect, or the server does not accept requests.

100% possible and we use it a fair bit, lets say you have all the sstp stuff set up like connecting clients, using certs etc and we are just hooking up the radius.

1. you will need to set up the radius client, this is just by going to radius from the main menu on the left hand side of webfig/winbox, in the new window add a new server or edit your existing if you are using the same server as the hotspot etc. make sure that PPP is ticket as a service then the minimum in here is to set the address of the radius server and the ports but you will probably want to password protect this.
   The other thing to note is if your radius server is remote I would recommend not directly connecting to the server through the public interface but instead set up a tunnel and route the traffic through the vpn tunnel as well as you might want to turn the timeout up a bit

• optional, back in the root of the radius menu there should be an incoming button/section you will need to allow this if you would like this router to respond to messages initiated form the server, this is for CoA purposes so it can kick radius users off that go out of their limitations I.e used to much bandwidth, times up etc. this is simple all you need to do is tick accept and make sure the port is the same one the server is using for this

• now you will need to go to ppp from the main menu on the right, in there you will need to go to secrets and click the PPP authentication&accounting button, make sure ithas use radius ticket as well as accounting if you want the router to update the radius server on uptime, bandwidth usage etc. If you do want updates I would suggest changing the intrum updates, this is the time in between sending updates, if you have a lot of devices connected to the same radius server its worth turning this timer up so you are not "ddos'ing" yourself

Off the top of my head that should be the basics of the Mikrotik end of connecting it to the radius server, remember that the radius client has statistics for requests etc as well as stats for the incoming packets, this is a quick way to see if this is working or not or enable radius and debugs topics and see if you are getting any request and responses for those request

Fantastic - thank you very much both of you.
I shall have a go this week/weekend and report back.