Page 1 of 1

Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Tue Dec 15, 2015 5:40 pm
by m3a2r1
I'm using Mikrotik as router and dhcp server for LAN clients and Unifi APs. There is an AD server so I want to authenticate wifi clients with Windows credentials, not WPA key.
I've set up radius on mt (wireless, ppp & login checked), dhcp with option "use radius", and on Windows: Secure Wireless Connections policy (EAP-MSCHAPv2, PEAP & MSCHAPv2) , Radius client connected with mt (it works for me and authenticate vpn connections).
But it still can't authenticate me - if I try to connect with wifi, it shows me prompt for username and password, then shows error with no description.
Did I missed something to configure?

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Tue Dec 15, 2015 7:00 pm
by ZeroByte
The Mikrotik probably doesn't need to be involved with this at all. In general, you need something that can dip down into AD for authentication - there's a RADIUS function on domain controllers - you should point your RADIUS to that, or else you need to install a RADIUS server that can use LDAP to perform AD-based AAA functions.

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Tue Dec 15, 2015 8:41 pm
by nspitzer
Since this is what I do for a living I can help you.... The Mikrotik is a RADIUS client, not a server. Microsoft provides a RADIUS server, called Network Policy Server, with their server OS. Basically the Mikrotik needs configured as a RADIUS client to the MS NPS.

The network policy server needs configured with authentication and authorization rules that basically say IF someone tries to log in to the Mikrotik, verify their passwords (authentication) and then determine whether they should be allowed in (authorization)

Then the NPS server will pass some parameters back (cannot remember what they are right offhand) that secure the connection.

Some good reading is:
https://social.technet.microsoft.com/Fo ... nserverNIS

https://documentation.meraki.com/MR/Enc ... Enterprise

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 3:50 pm
by nspitzer
You need to setup Network Policy Server on a MS server in the domain to act as a RADIUS server. The Mikrotik is setup as a RADIUS client and passes all authentication/authorization attempt to this server(s) which verify the password (and possibly other things like group membership) and either permit/deny the attempt.

Here are links that show you in general how this works but google "network Policy server wireless" for more:
https://technet.microsoft.com/en-us/lib ... 10%29.aspx
http://www.cisco.com/c/en/us/support/do ... g-000.html

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 6:09 pm
by m3a2r1
Can I authenticate wireless clients with AD without installing server certificate on each computer? Only with username/password.

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 6:45 pm
by ZeroByte
Can I authenticate wireless clients with AD without installing server certificate on each computer? Only with username/password.
You only need client certificates if you configure the AAA server to require them....

I assume you mean that you don't want users to get certificate warnings when they attach to your WiFi.
On the server, you either need to use a certificate that's been signed by a well-known CA (pay money). If you roll your own cert, then of course the clients are going to cough up warning screens to the users. That's the whole point of certificates! The only way to get no warnings with a self-generated certificate is to configure each client to trust your certificate or your home-made CA that signed them. In an enterprise environment, you can push your private CA to all computers using group policy, but if this is a BYOD environment then you pretty much need to suck it up and buy a real certificate.

I think EAP/MSChap pretty much requires certificates - but I could be wrong.....

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 11:23 pm
by troffasky
It requires you use certificates...unless you tell the clients not to validate them:

http://serverfault.com/questions/155760 ... ue-certifi

But I'm not sure how portable this advice is, ie, can you even turn this check off in all client OSs? It might be quicker to just install the cert than dig into all the settings and untick what needs to be unticked. If the users are on the domain anyway, why not just push out the cert to them?

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 11:28 pm
by m3a2r1
If the users are on the domain anyway, why not just push out the cert to them?
If there are in domain it's not problem to push out the certs for them. About half of computers are not in domain (shitty Windows Home Premium) and I don't want to configure them.

Re: Mikrotik router as dhcp + ap from another manufacturer + Active Directory - how to authenticate?

Posted: Wed Dec 16, 2015 11:53 pm
by ZeroByte
... not to mention iThings and droidz and so forth.....

I suggest that you go ahead and get the cert, or add "ignore the certificate warning" to your routine for helping people get on the WiFi.