Community discussions

MikroTik App
 
mkarau
just joined
Topic Author
Posts: 5
Joined: Fri Jun 24, 2022 6:53 pm

802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sat Jun 25, 2022 12:36 pm

Hi. New to the RouterOS world, but getting into it pretty quickly. I'm trying to connect a RouterBOARD with ROS 7.3.1 to my network running Cisco ISE using PEAP+MSCHAPv2, but I'm not ever seeing the router attempt anything beyond PEAP auth, and I can't find a way to force it to do the additional MSCHAPv2 auth required to get the device authorized on the network. Any hints?

Steps taken so far: Started from vanilla 7.3.1 install, configured as router, DHCP client on WAN, DHCP server on LAN, Uploaded all required certs to the RouterBOARD, logging dot1x to log.

dot1x config:
Enabled: yes
Interface: ether1
EAP Methods: EAP PEAP, EAP MSCHAPv2
Identity: [same as what has been tested to work with 801.1x auth on desktop machine]
Password: [same as what has been tested to work with 801.1x auth on desktop machine]
Anon. Identity: anonymous
Certificate: none
Comment: 

Status: authenticated

Reality: No network access – defaults back to forwarding to our system for MAC-based filtering

Here is a sample of the log:
Time                  |  Buffer  |  Topics         |  Message
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Start
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:1 method:IDENTITY
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:1 method:IDENTITY
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:191 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:191 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:192 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:192 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:193 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:193 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:194 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:194 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:195 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:195 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:196 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:196 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:197 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:197 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:198 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:198 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:199 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:199 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:200 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:200 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:201 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:201 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:202 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:202 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Request id:203 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dot1x, packet  |  c ether1 tx EAPOL-Packet EAP-Response id:203 method:PEAP
Jun/24/2022 20:03:44  |  memory  |  dhcp, info     |  dhcp-client on ether1 got IP address xx.xxx.xxx.xx
Jun/24/2022 20:03:45  |  memory  |  dot1x, packet  |  c ether1 rx EAPOL-Packet EAP-Success id:203
Jun/24/2022 20:03:45  |  memory  |  dot1x, debug   |  c ether1 authorized

Any hints of how to force the dot1x module to do the additional MSCHAPv2 Auth? Or do you suspect it's doing MSCHAPv2 here, encapsulated by the PEAP tunnel, with the log only showing details about the PEAP tunnel? When I remove EAP Method "EAP MSCHAPv2" it still shows as authenticated but with a shorter set of log messages.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sat Jun 25, 2022 8:26 pm

I assume the EAP method used is based on negotiation between client and Radius server.

At least I only used EAP method = "passthrough" for WPAx-EAP on a WLAN wifi interface. So there are no other EAP method setting in the security profile of that router

The RADIUS communication can be logged with topic "radius".

Working radius servers used so far are FreeRadius, Draytek router radius, Synology NAS radius, and eventually ROS 7 User Manager 5, with quite some learning curve.
And leading to NTRadPing tool for testing and simulating a client.
viewtopic.php?t=185562

The documentation of ROS 7 User Manager V5 is limited and yet incomplete. https://help.mikrotik.com/docs/display/ ... Manager+v5

MSCHAPv2 should be part of the inner-auth only. (FreeRadius is fully configurable on this, and has very extensive logging on the server console, e.g. outer-auth and inner-auth methods)
But the radius debug packet log in ROS is also very extensive: viewtopic.php?t=185562#p764980
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sun Jun 26, 2022 1:32 pm

Any hints of how to force the dot1x module to do the additional MSCHAPv2 Auth? Or do you suspect it's doing MSCHAPv2 here, encapsulated by the PEAP tunnel, with the log only showing details about the PEAP tunnel?
Yes. From the help pages eap-peap actually means PEAPv0/EAP-MSCHAPv2.

When I remove EAP Method "EAP MSCHAPv2" it still shows as authenticated but with a shorter set of log messages.
You shouldn't be including the eap-mschapv2 method as this does not protect the MS-CHAPv2 exchange from observation so the password hash can be recovered, see https://web.archive.org/web/20160316174 ... s-chap-v2/.
 
mkarau
just joined
Topic Author
Posts: 5
Joined: Fri Jun 24, 2022 6:53 pm

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sun Jun 26, 2022 11:11 pm

I assume the EAP method used is based on negotiation between client and Radius server.

At least I only used EAP method = "passthrough" for WPAx-EAP on a WLAN wifi interface. So there are no other EAP method setting in the security profile of that router

The RADIUS communication can be logged with topic "radius".

Working radius servers used so far are FreeRadius, Draytek router radius, Synology NAS radius, and eventually ROS 7 User Manager 5, with quite some learning curve.
And leading to NTRadPing tool for testing and simulating a client.
viewtopic.php?t=185562

The documentation of ROS 7 User Manager V5 is limited and yet incomplete. https://help.mikrotik.com/docs/display/ ... Manager+v5

MSCHAPv2 should be part of the inner-auth only. (FreeRadius is fully configurable on this, and has very extensive logging on the server console, e.g. outer-auth and inner-auth methods)
But the radius debug packet log in ROS is also very extensive: viewtopic.php?t=185562#p764980

Thanks, removed MSCHAPV2 from outer-level EAP methods, and authentication still works.

The tips on generating more verbose debugging are getting me a little closer to seeing the full picture. I'm still unclear on why a radius 802.1x connection from the RouterBOARD might somehow be treated as a "second-class connection" relative to other 802.1x connections from Mac/PC/Linux built-in clients.

Any thoughts on what might be missing on the ROS config? (Individual machines are able to directly connect and authenticate with ISE via OS clients, but the router only seems to get superficially "authenticated" but cannot access the network.)
 
mkarau
just joined
Topic Author
Posts: 5
Joined: Fri Jun 24, 2022 6:53 pm

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sun Jun 26, 2022 11:18 pm

Any hints of how to force the dot1x module to do the additional MSCHAPv2 Auth? Or do you suspect it's doing MSCHAPv2 here, encapsulated by the PEAP tunnel, with the log only showing details about the PEAP tunnel?
Yes. From the help pages eap-peap actually means PEAPv0/EAP-MSCHAPv2.

When I remove EAP Method "EAP MSCHAPv2" it still shows as authenticated but with a shorter set of log messages.
You shouldn't be including the eap-mschapv2 method as this does not protect the MS-CHAPv2 exchange from observation so the password hash can be recovered, see https://web.archive.org/web/20160316174 ... s-chap-v2/.

Thanks for the excellent tips and insights. I removed MSCHAPV2 and EAP auth proceeds, as before, and reaches a "successful" authorized state.

However, it's still not being treated as a fully authorized connection. As said in my reply above, somehow, the EAP exchange between the RouterBOARD and the ISE server results in an "authorized" outcome, but the router does not gain access to the network in the ways expected (like the Mac/Windows/Linux OS clients). Have you encountered this before?
 
mkarau
just joined
Topic Author
Posts: 5
Joined: Fri Jun 24, 2022 6:53 pm

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Sun Jun 26, 2022 11:34 pm

To clarify, I'm trying to create a local network for testing embedded and wireless devices that don't support 802.1x on their WiFi interfaces that bridges to my wired network that requires 802.1x, through the RouterBOARD.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Mon Jun 27, 2022 1:16 pm

As the supplicant ends up in the authenticated state it must be mostly working. If the Mikrotik cannot log the unencrypted payload of the EAPOL-Packet EAP-Request/EAP-Response messages then whatever logs/debugging that the Cisco ISE provides may shed some light.

Bridging another interface such as a wlan to the 802.1x supplicant port may not work, it depends on what your network authenticator permits - some operate as a simple on/off connection for any traffic between the supplicant and network, others will only permit traffic from the MAC source address used by the supplicant. In the latter case you could use the Mikrotik as a NAT router so your network only sees layer2 packes from the Mikrotik itself.
 
mkarau
just joined
Topic Author
Posts: 5
Joined: Fri Jun 24, 2022 6:53 pm

Re: 802.1x PEAP+mschapv2 on WAN dot1x RouterBOARD ROS 7.3.1

Mon Jun 27, 2022 2:10 pm

As the supplicant ends up in the authenticated state it must be mostly working. If the Mikrotik cannot log the unencrypted payload of the EAPOL-Packet EAP-Request/EAP-Response messages then whatever logs/debugging that the Cisco ISE provides may shed some light.

Bridging another interface such as a wlan to the 802.1x supplicant port may not work, it depends on what your network authenticator permits - some operate as a simple on/off connection for any traffic between the supplicant and network, others will only permit traffic from the MAC source address used by the supplicant. In the latter case you could use the Mikrotik as a NAT router so your network only sees layer2 packes from the Mikrotik itself.

The L2 NAT approach is my goal at this point. Oddly, the ISE logs are identical when using RouterBOARD vs. desktop clients. Will keep you posted on progress.

Who is online

Users browsing this forum: iustin and 75 guests