Hello! I have a problem with L2TP radius authentication.
I'm trying to use Windows Server 2012R2 - NPS(radius) for authentication on MikroTik for Roadwarrior's L2TP\IPSec(RSA) VPN
When VPN client using CHAP authentication - it connects successfully.
When VPN client using MS-CHAP or MS-CHAP-v2 - then error appears: So, I guess there is a bug with MS-CHAP authentication on MikroTik using NPS Server, or I've missed something...

Check your NPS Server's logs to see what is the reason it rejects your client.

SOLVED:

This can occur when the LmCompatibilityLevel settings on the authenticating DC has been modified from the defaults.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
For example, if you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM ), then the DC will not accept any requests that use NTLM authentication. RAS in Windows Server 2003, 2008, and 2008 R2 default to NTLM to hash the password when MS-CHAP or MS-CHAPv2 are configured. Because the DC will only accept NTLMv2 the request will be denied.

https://support.microsoft.com/en-us/hel ... ication-is
https://support.microsoft.com/uk-ua/hel ... -ms-chapv2
To enable NTLMv2 authentication, you must add a new registry entry after you apply the hotfix. To do this, follow these steps.
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
On the Edit menu, point to New, and then click DWORD Value.
Type Enable NTLMv2 Compatibility, and then press ENTER.
On the Edit menu, click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor.