Page 1 of 1

RADIUS MS-CHAP(v2) authentication not working with Server 2012R2

Posted: Thu Sep 28, 2017 1:01 pm
by voxmaster
Hello! I have a problem with L2TP radius authentication.
I'm trying to use Windows Server 2012R2 - NPS(radius) for authentication on MikroTik for Roadwarrior's L2TP\IPSec(RSA) VPN
When VPN client using CHAP authentication - it connects successfully.
When VPN client using MS-CHAP or MS-CHAP-v2 - then error appears:
Error-Using MS-CHAP(v2).png
So, I guess there is a bug with MS-CHAP authentication on MikroTik using NPS Server, or I've missed something...

Re: RADIUS MS-CHAP(v2) authentication not working with Server 2012R2

Posted: Thu Sep 28, 2017 2:30 pm
by andriys
Check your NPS Server's logs to see what is the reason it rejects your client.

Re: RADIUS MS-CHAP(v2) authentication not working with Server 2012R2  [SOLVED]

Posted: Fri Sep 29, 2017 9:30 am
by voxmaster
SOLVED:
This can occur when the LmCompatibilityLevel settings on the authenticating DC has been modified from the defaults.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
For example, if you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM ), then the DC will not accept any requests that use NTLM authentication. RAS in Windows Server 2003, 2008, and 2008 R2 default to NTLM to hash the password when MS-CHAP or MS-CHAPv2 are configured. Because the DC will only accept NTLMv2 the request will be denied.

https://support.microsoft.com/en-us/hel ... ication-is
https://support.microsoft.com/uk-ua/hel ... -ms-chapv2

To enable NTLMv2 authentication, you must add a new registry entry after you apply the hotfix. To do this, follow these steps.
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
On the Edit menu, point to New, and then click DWORD Value.
Type Enable NTLMv2 Compatibility, and then press ENTER.
On the Edit menu, click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor.