I have a Mikrotik CCR1016-12G with Patchlevel 6.42.6

PPTP-Server, L2TP-Server are up an running, both authenticate to a radius-Server (a Windows NPS), this is working fine.
A couple of IPSEC-Tunnels is running as well, otherwise nothing complicated.

I added recently a SSTP-Server, installed certificates etc

Issue: I can't login via SSTP if the user is only in AD (authenticated via Radius/NPS)
If I use a local user, SSTP-login works fine.
If I use L2TP via radius login works fine.

So I can assume the radius is set up properly and the SSTP is setup properly.
It just doesnt play together.
How to troubleshoot? How to fix? Known issues?

br
Gerhard

Hallo,

Can i please for help to resolve this problem.
I have configured RAIDUS (NAP on Windows). Mikrotik see RADIUS on Windows when i add.
Problem is with connect by SSTP to RADIUS from another Account. Everything is configured but it is not working.
Can i please for help ? SSTP Miktortik works with Windows RADIUS ?

Please post at least the error message you get from the MikroTik log - that helps troubleshooting. Also you can post the corresponding (last) log lines from RADIUS server (default log location for Windows NPS is c:\Windows\system32\LogFiles\ - look for newest IN<number>.log files).

RouterOS fully supports SSTP authentication against Active Directory via RADIUS provided by Windows NPS server role - I have working configuration that is used daily.

Hi,
I noticed on NPS (Server 2012 R@ at least) that if you are locking the Network Policy down to conditions: NAS port type of Virtual (VPN) and User group, it wont allow SSTP. (it does allow PPTP, L2TP, IKev2, just not SSTP)
If your Network policy doesnt have "NAS Port Type" condition set and only the user group, then SSTP works (even with authentication method: MS-CHAP-v2 only and encryption set to strongest only).

I also noticed that if you have the Mikrotik login configured with the settings for the Vendor Specific (code:14988) in order to pass the level of access, and lock that down to a user group condition only, then those users will also be able to do SSTP, so be careful with you network policies and try make them as restrictive as possible so you don't get overlaps in allowances vs services intended.

Im not too familiar with it, but it would be nice if SSTP matched the Virtual VPN NAS port type so that all VPN types were managed in one policy. maybe someone in the know can shed some light on that?

Good luck, and please share any policies that you found to be solid.

MetUys' answer worked for me. PPTP was working fine with RADIUS but couldn't get SSTP to authenticate. Removing the NAS Port Type and leaving the security group as the only restriction allowed users to authenticate with domain credentials over SSTP. Thanks MetUys!