Hi All

We are trying to get our routers using radius to authenticate users to login with Winbox but havign a lot of trouble with it

We're using Windows NPS as the radius server.
I believe the problem is that Winbox uses MD5-CHAP and windows doesnt support this? (Assuming I have understood what I've read)

I have seen other posts where people have used Freeradius as some sort of proxy but I would like to avoid this as I believe it WILL work without it. (in short, a previous collegue had winbox authenticating against AD without any additional servers, he's left the company and I can't figure out how he did it )

Any suggestions?

thanks!
Rich

We are using radius against NPS for PPP authentication with AD credentials:

/radius
add accounting-backup=no accounting-port=1813 address=<NPS-SERVER> authentication-port=1812 called-id="" comment="" disabled=no domain=<DOMAIN-SHORT-FORM> realm="" secret=<NPS-CONFIGURED-SECRET> service=ppp timeout=\
300ms
/radius incoming
set accept=no port=3799

hope this helps

Forgot to mention actually, we have radius already authenticating PPTP connections with this NPS server but I believe that uses normal CHAP and not MD5-CHAP.
So I think thats why the vpn's are working and authenticating correctly but Winbox isn't

Woohoo! We did it!

For anyone running into similar problems in the future...

Active Directory passwords need to be stored using reversible encryption, this is done in GP (Computer configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Set "Store Passwords using reversible encryption" to enabled.

Did a GP update and it didn't work, created a new test account and it works fine so I assume new accounts when created will store their passwords with reversible encryption, existing accounts may need to wait some time or reset their passwords.

General info...

SSH and Telnet uses PAP authentication
Winbox uses MD5-CHAP authentication
Webfig does not support radius (yet, ROS v5.6)

With NPS configured by default users will find they can login to the router with SSH or Telnet without any problems, PPP authentication (for VPN's etc) will work without issue but Winbox won’t work, in the radius logs on the router you will see the request is "Accepted" but winbox still responds with "Access Denied" if you look on the Windows (NPS Server) security logs you will find "Audit Failure" with...

Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect

This is because Winbox is encrypting your password with MD5-CHAP and then passing that to NPS / Windows Active Directory which then doesn't know what to do with the hashed/encrypted password. Setting the group policy as above will allow AD store passwords in the same way as it is receiving them from Winbox.


Thanks!
Rich

Squishio,

Could you please share how to setup mikrotik and Windows AD so that I can use AD user for my winbox and telnet login to Mikrotik? Thank you.

Hi dear friends
Your answer is :

So here's how to re-enable it:

To re-enable EAP-MD5 support in versions of Windows Vista, add the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4

Value name: RolesSupported
Value type: REG_DWORD
Value data: 0000000a

Value name: FriendlyName
Value type: REG_SZ
Value data: MD5-Challenge

Value name: Path
Value type: REG_EXPAND_SZ
Value data: %SystemRoot%\System32\Raschap.dll

Value name: InvokeUsernameDialog
Value type: REG_DWORD
Value data: 00000001

Value name: InvokePasswordDialog
Value type: REG_DWORD
Value data: 00000001

Once you have added these new keys to the registry MD5 will show up in your EAP list.