Say, i got 2 network access policies, each with one of the domain groups in the Conditions named MTadm and MTread, with 'full' and 'read' in Parameters> Vendor-specific> 14988, 3, string parameter.
I want to give these 2 domain group users full and write-only access to all Mikrotik's.
The problem is, whatever network policy i set up, I can login with only 'full' or 'read', depends on which comes first in connection request policies, or default 'read' if no vendor-attribute in CRP is specified. Never both groups the same time. Looks like the AD group parameter is ignored either by Mikrotik or by NPS.
The question is, anyone managed to get working more-than-one security group AD authentication with NPS RADIUS on more-than-one Mikrotik in a single network? Where did i stuck?
Config samples on Windows Server side:
Code: Select all
>netsh nps show np
Network Policy Configuration:
-------------------------------------------------- -------
Name = MTadm
Status = Enabled
Processing order = 2
Policy source = 0
State Attributes:
Name Identifier Value
-------------------------------------------------- -------
Condition0 0x1023 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8972"
Condition1 0x1fb5 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8972"
Profile attributes:
Name Identifier Value
-------------------------------------------------- -------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x4"
Vendor-Specific 0x1a "0100003A8C0306full"
Port-Limit 0x3e "0x1"
Service-Type 0x6 "0x1"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
Network Policy Configuration:
-------------------------------------------------- -------
Name = MTread
Status = Enabled
Processing order = 3
Policy source = 0
State Attributes:
Name Identifier Value
-------------------------------------------------- -------
Condition0 0x1023 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8974"
Condition1 0x1fb5 "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzzz-8974"
Profile attributes:
Name Identifier Value
-------------------------------------------------- -------
NP-Allow-Dial-in 0x100f "TRUE"
NP-Authentication-Type 0x1009 "0x4"
Vendor-Specific 0x1a "0100003A8C0306read"
Port-Limit 0x3e "0x1"
Service-Type 0x6 "0x1"
MS-MPPE-Encryption-Policy 0xffffffa7 "0x2"
MS-MPPE-Encryption-Types 0xffffffa6 "0xe"
>netsh nps show crp
Connection request policy configuration:
-------------------------------------------------- -------
Name = MTadmXX.XXX
Status = Enabled
Processing order = 3
Policy source = 0
State Attributes:
Name Identifier Value
-------------------------------------------------- -------
Condition0 0x4 "192.168.xx.xxx"
Profile attributes:
Name Identifier Value
-------------------------------------------------- -------
Auth-Provider-Type 0x1025 "0x1"
NP-Authentication-Type 0x1009 "0x4"
Override-RAP-Auth 0x1fb0 "TRUE"
Code: Select all
/radius
add address=192.168.xx.xxx secret=\
"somekindofasecret" \
service=login timeout=600ms
/user aaa
set default-group=read use-radius=yes