Community discussions

MikroTik App
 
pikinier20
just joined
Topic Author
Posts: 3
Joined: Wed Feb 05, 2020 12:46 pm

Authenticating VPNs using RADIUS/NPS - radius timeout

Wed Feb 05, 2020 12:59 pm

Hello there,
I've got Active Directory with some users, and now I'm going to give them possibility of working remotely on domain. I've got PPTP VPN server on Mikrotik Routerboard. The answer for automatic authentication using AD credentials is NPS server. I've done everything as in this tutorial: https://mivilisnet.wordpress.com/2018/1 ... indows-ad/
But unfortunately I'm getting Error 691 when I try to connect to VPN.

I did some research and I read logs from Winbox:
Image

However, in RADIUS status there are no packets sent.
Image

On NPS there are no logs, that Mikrotik tried to authenticate.
I did tracert on NPS IP, and UDP 1812 port, and I've got logs on NPS server, that it got invalid RADIUS message, so it's not firewall problem.

Can you guys help me?
 
Cvan
Member Candidate
Member Candidate
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Authenticating VPNs using RADIUS/NPS - radius timeout

Fri Feb 07, 2020 2:06 am

Your NPS configuration might be wrong.. Post your network policy for VPN Auth..
Are you using 'ppp' on MT radius config? Show your MT Radius config..
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Authenticating VPNs using RADIUS/NPS - radius timeout

Fri Feb 07, 2020 12:06 pm

Additionally, as your AD credentials will be encrypted you cannot use CHAP authentication. Simple authentication mechanisms have the following requirements for RADIUS credentials:

PAP - plaintext or encrypted
CHAP - plaintext
MSCHAPv2 - plaintext or MSCHAPv2

Also, don't use PPTP for VPNs as it is very insecure.
 
pikinier20
just joined
Topic Author
Posts: 3
Joined: Wed Feb 05, 2020 12:46 pm

Re: Authenticating VPNs using RADIUS/NPS - radius timeout  [SOLVED]

Sun Feb 09, 2020 11:16 pm

Okey, problem is solved. It was my bad, because in Mikrotik RADIUS config there's field DOMAIN and I put there FQDN. I didn't know that this field is used by Mikrotik to forward auth to proper RADIUS server eg. when I log in as YYY\user, Mikrotik watches if there's RADIUS for domain YYY, and then pass credentials to it. When I changed this field to domain name used for log in, everything is OK. I feel like a newbie now, but most important is that everything is working good.
 
pikinier20
just joined
Topic Author
Posts: 3
Joined: Wed Feb 05, 2020 12:46 pm

Re: Authenticating VPNs using RADIUS/NPS - radius timeout

Sun Feb 09, 2020 11:17 pm

Additionally, as your AD credentials will be encrypted you cannot use CHAP authentication. Simple authentication mechanisms have the following requirements for RADIUS credentials:

PAP - plaintext or encrypted
CHAP - plaintext
MSCHAPv2 - plaintext or MSCHAPv2

Also, don't use PPTP for VPNs as it is very insecure.
Yes, I've read before that PPTP is not so good. I will move to IPsec tunnel as soon as I learn how to do it ;)
 
szhura
just joined
Posts: 18
Joined: Fri May 17, 2019 1:04 pm

Re: Authenticating VPNs using RADIUS/NPS - radius timeout

Tue Nov 30, 2021 8:20 am

i have windows PDC with Radius and Mikrotik with "use radius" checked and radius server set:
Telegram (205082)_2021-11-29_13_33_16.jpg
but pptp log shows that authentication goes as simple mschap2 no radius at all:
zhura@10.10.201.1 (RVR-MT-MAIN) - WinBox (64bit) v6.49.1 on CHR (x86_64)_2021-11-29_13_28_37.jpg
need help - what can be wrong?
You do not have the required permissions to view the files attached to this post.
 
szhura
just joined
Posts: 18
Joined: Fri May 17, 2019 1:04 pm

Re: Authenticating VPNs using RADIUS/NPS - radius timeout

Fri Dec 03, 2021 7:25 am

problem was in firewall rule "block invalid packets" - it blocks GRE. i set rule to "block invalid TCP packets" and now all works fine

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Bing [Bot], emunt6, Google [Bot], Renfrew and 80 guests