Community discussions

MikroTik App
  4. RouterOS
  5. General

L2TP IPSec VPN with RADIUS authentication

Post Reply
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

L2TP IPSec VPN with RADIUS authentication

Tue Dec 15, 2020 6:41 pm

Greetings,

I am working on a setup which involves VPN authentication against Azure Active Directory. Lots of people told me it can't work but there's actually a really nice module made for FreeRADIUS - https://github.com/jimdigriz/freeradius-oauth2-perl
It users OAuth2 to talk to Azure AD, and it works pretty good. One of the drawbacks is that PAP needs to be used so the password is transported via cleartext to Azure AD.

Right now, I can successfully authenticate against Azure AD when I set PPTP as the type of VPN used. The Mikrotik receives the request, forwards it to the FreeRADIUS server which talks to Azure AD and it successfully sends back an Access-Accept response. The PPTP VPN connection is established using the credentials of the cloud-based Azure AD account. Awesome.

Problem is, when I set the VPN type to L2TPw/ PSK, it stops working. I initiate a connection from a Windows machine, the log on Mikrotik says the following:
Code: Select all
respond new phase 1 (Identity Protection): MY.PUBLIC.IP[500] <=>OTHER.PUBLIC.IP[500]
ISAKMP-SA established MY.PUBLIC.IP[4500]-OTHER.PUBLIC.IP[4500]
first L2TP UDP packet received from MY.PUBLIC.IP
ISAKMP-SA deleted MY.PUBLIC.IP[4500]-OTHER.PUBLIC.IP[4500]
purging ISAKMP-SA 85.114.46.131 MY.PUBLIC.IP[4500]-OTHER.PUBLIC.IP[4500]
It does that and doesn't even forward the request to the RADIUS server! I am running the RADIUS in debug mode and looking at the output but no request ever gets forwarded to it. The connection times out, the initiating machine says "The connection was terminated because the remote computer did not respond in a timely manner".

So TL;DR:
1) Set up RADIUS server which talks to Azure AD for authentication
2) Set up Mikrotik to talk to RADIUS for PPP authentication
3) Tested PPTP VPN with this setup - can confirm it works, RADIUS receives the requests and successfully authenticates against Azure AD
4) Same setup used only with L2TP/w PSK - router receives the request but never forwards it to RADIUS
4.1) Exact logs of the request can be seen above
4.2) RADIUS server in debug mode does not receive any request
5) L2TP connection times out with the above stated error message on the client side

Any ideas on what is causing the issue?
Top
 
NSimpraga
newbie
Topic Author
Posts: 36
Joined: Fri Sep 27, 2019 2:47 pm

Re: L2TP IPSec VPN with RADIUS authentication

Wed Dec 16, 2020 6:32 pm

Just to update on this - the issue was in something else. The VM I was running RADIUS on was on my PC VPN-ed to the router I was testing, so the router could talk to RADIUS. When I try to initiate a L2TP connection from my PC (the one where the VM is), it's already connected with the same public IP to the test router. With L2TP, you can't have two L2TP connections from the same public IP.

Oops.
Top
 
Turtle2020
just joined
Posts: 1
Joined: Tue Jan 10, 2023 10:43 pm

Re: L2TP IPSec VPN with RADIUS authentication

Wed Jan 11, 2023 10:10 am

Greetings,

I have the same idea about Radius and Azure AD. May I ask, how you solve L2TP password transfer from VPN client to Radius and Azure AD.
My oauth2 config working well with PPTP protocol. But if I switch to MS CHAP I have got error
Code: Select all
[i](0) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
(0) mschap: ERROR: MS-CHAP2-Response is incorrect[/i]
Top
Post Reply

Who is online

Users browsing this forum: baragoon, k6ccc, karhill, Lupin, maldridge, ramin110 and 106 guests
  4. RouterOS
  5. General