Community discussions

MikroTik App
 
User avatar
luigifanton
just joined
Topic Author
Posts: 1
Joined: Tue Feb 25, 2020 11:43 pm
Location: Europe/Rome

Freeipa radius ldap backend login

Tue Feb 25, 2020 11:49 pm

Hi,
I'm trying (whitout success) to authenticate mikrotik on radius freeipa server with ldap backend.
Has anyone been successful?
 
mekatum
just joined
Posts: 2
Joined: Sat Jun 27, 2020 10:14 pm

Re: Freeipa radius ldap backend login

Tue Jun 30, 2020 8:35 pm

Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
 
plantaznik
just joined
Posts: 1
Joined: Thu Aug 13, 2020 12:14 pm

Re: Freeipa radius ldap backend login

Thu Aug 13, 2020 12:19 pm

Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
Hi mekatum,

I have the same problem. Newly installed FreeIPA with LDAP + freeradius.
Connections between Huawei, Cisco devices and FreeIPA server over the freeradius is OK but MikroTik doesnt work.

My questions is, how I change FreeIPA hash? Or how I add support NT HASH to my FreeIPA server?

Thank You for help.

Best
Plnt
Last edited by plantaznik on Thu Aug 13, 2020 12:21 pm, edited 1 time in total.
 
yosefko
just joined
Posts: 1
Joined: Sun Mar 04, 2018 5:08 pm

Re: Freeipa radius ldap backend login

Tue Aug 18, 2020 9:08 am

Hi,

we used OpenLDAP with freeRadius and use cleartext pass for Mikrotik and other vendors Cisco, Huawei, Zyxel...
We made similar setup as you "I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.", but we cant authenticate on Mikrotik via this setup.
Please, could you help us in some way?
Thanks.

Yosefko
Hi!
Maybe this is no longer relevant, but I answer.

I successfully implemented a bunch of centos 8 + freeipa 4.8.4 + freeradius 3.0.17 + mikrotik 6.47.

Some unobvious moments for me. FreeIPA has default password hash is PBKDF2_SHA256, but FreeRADIUS not support it. You must change FreeIPA hash.
Mikrotik's RADIUS client use MSCHAPv2 for auth. MSCHAPv2 support only clear text hash or NT HASH. You must add support NT HASH to your FreeIPA.
But but still it works! And I can connect to Mikrotik's L2TP-server with my LDAP login.
 
clovehitch
just joined
Posts: 9
Joined: Fri Mar 06, 2020 10:06 pm

Re: Freeipa radius ldap backend login

Wed Feb 10, 2021 12:35 am

I burnt a lot of time trying to get this to work.
- most guides are 5+ years old
- everyone that's giving advice and tips seems to be using different versions
- security issues trying to get this to work

The list kind of just goes on.

If someone could do a write up of all the steps needed for a fresh install of FreeIPA + FreeRADIUS I'm sure a lot of people would find it useful.

I gave up and just made a dedicated RADIUS server for mikrotik logins :(
 
FredNurk
just joined
Posts: 2
Joined: Sat Apr 17, 2021 2:57 am

Re: Freeipa radius ldap backend login

Tue Sep 27, 2022 1:36 pm

I had managed to get this working with CentOS 8, Freeipa, freeradius and a mikrotik router.
Up until (I suspect) the upgrade to RouterOS 7 it was working, but something has changed and the MSCHAP challenge is no longer working.

For background, I had used a number of guides that firstly use the FreeIPA - AD trust setup (don't need AD, just run the AD specific setup as it generates the NTHASH needed for mschap challenge) and then set up a service account with a specific permission to access the NTHASH as FreeIPA doesn't allow anonymous browsing.

Using radtest direct on the freeradius server, the MSCHAP challenge works. But now it fails with the Mikrotik RADIUS client. If I get to the bottom of it I'll update this post.
 
FredNurk
just joined
Posts: 2
Joined: Sat Apr 17, 2021 2:57 am

Re: Freeipa radius ldap backend login

Sat Apr 01, 2023 1:33 pm

Looks like something's changed on the Mikrotik end, I'm now running RouterOS 7.7 and login against a FreeRadius server again works.

Who is online

Users browsing this forum: Amazon [Bot], gigabyte091, Google [Bot], infabo, massinia, thomassocz and 77 guests