RTFM. Idecidedto go with PPTP for that reason that it still is easier to manage.
* Good security.
* Never had a problem with NAT clients in years.
* No client needed. Guess what
OS support it. At least Mac and WIndows do out of the box.
* Configuration - use Radius. Every AD server can be configured to act as radius server.
* Two factor also supported I think out of the box, just never used it. You will run into tons of problems with that as it WILL require drivers on the computers to log in, and THIS is not somehing I am willing to accept
I've managed to follow your advice and PPTP + radius AD AAA is working like a charm
Thanks a lot for pointing me in the good direction.
As was expected, i face now the issue of integrating RSA tokens for two-factor. From what i've grasped in my RTFM'ing i need to use EAP for authentication with PPTP, which RouterOS doesn't seem to support (or i couldn't find how to enable it). So i'm thinking of L2TP+IPSEC. If that doesn't work i don't see what could, except for avoiding VPN methods on the router and offer directly ADS VPN over our edge (that would suck IMO).
My idea of how the auth process would work is like this:
IPSEC
client[token] ------------------->Mikrotik[auth method: rsa signature]
L2TP
client[ADS user/pass/domain] -------------------->Mikrotik[radius client to ADS server]
is it correct?
Ps: some of the doc i've found about PPTP puts some emphasis in inherent security weaknesses both in authentication methods (except some EAP based ones, but NOT for mschap1/2) and in MPPE even in 128 bits. Could this further level the balance to IPSEC/l2TP in terms of security?
, but two factor is included in the requirements. We will have to use tokens.