Hi MikroTik community,
I think this is probably more a how-to about Windows Server 2012R2 Network Policy Server configuration than about MikroTik, but I also figure that the community here is likely smarter and better at answering questions like this than the Microsoft support communities are... :-)
I've got a RouterBOARD 951Ui 2HnD (RouterOS v6.37.3) set up as a VPN server (SSTP). Everything works fine when the VPN clients (Windows 10 workstations) use local authentication from the RouterBOARD (that is, they login using ID+password from /ppp secret).
However, I've recently turned on the RADIUS client on the RouterBOARD to forward authentication to a Windows Server 2012R2 Active Directory Domain Controller, so that it is not necessary to manually maintain /ppp secret on the RouterBOARD, and so that Windows clients can both connect to the RouterBOARD VPN and authenticate to the Windows Domain at the same time.
It works, except:
The problem is that whereas local auth on the RouterBOARD respects the IP-Pool setting (/ppp profile remote-address=VPNpool1), the Windows NPS RADIUS server gets IP addresses from one of the Windows server's own DHCP pools, and sends that IP address in a Framed-IP-Address RADIUS response attribute, despite that I've configured these RADIUS attributes in the Windows server's Network Policy:
Framed-Protocol: PPP
Service-Type: Framed
Framed-Pool: VPNpool1
Can someone please tell me how to get the Windows Server 2012R2 RADIUS response to send my configured Framed-IP-Pool instead of getting an IP address from the Windows server's own DHCP and returning it in Framed-IP-Address ?
thanks!
Re: Framed-IP-Pool from Windows NPS, instead of Framed-IP-Address from Windows DHCP?
Following-up my own post. I'm working with Microsoft support. They say that
1. Windows Server NPS is supposed to be able to return the Framed-Pool attribute, but
2. They can reproduce this problem and it looks like it's been this way for a long, long time (that in fact the Framed-Pool attribute never gets returned).
So, this may just be another "It's Microsoft. It's broken".
See my other thread at viewtopic.php?f=2&t=116938 for more on the operational practicality of the issue.
1. Windows Server NPS is supposed to be able to return the Framed-Pool attribute, but
2. They can reproduce this problem and it looks like it's been this way for a long, long time (that in fact the Framed-Pool attribute never gets returned).
So, this may just be another "It's Microsoft. It's broken".
See my other thread at viewtopic.php?f=2&t=116938 for more on the operational practicality of the issue.