MikroTik

Community discussions
https://forum.mikrotik.com/

Radius - wireless login - to Active Directory

https://forum.mikrotik.com/viewtopic.php?t=144467

Page 1 of 1

Radius - wireless login - to Active Directory

Posted: Thu Jan 24, 2019 1:51 am
by Cvan
Has anyone had success using MT as a Radius client connecting to NPS (Radius Server) with Active Directory??

I think I am close to getting it working, just missing something.. I have radius ppp working with VPN, but not radius wireless.

I have a network policy setup on Windows 2012 server for authentication with 802.11. Cant seem to send MSCHAP v2 over with the MT wireless profile...

Any suggestions?

How do you configure your MT wireless security profile authentication types for this?

My MT is mAP lite 6.40.8

Re: Radius - wireless login - to Active Directory

Posted: Fri Jan 25, 2019 1:25 am
by Cvan
Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!

Re: Radius - wireless login - to Active Directory

Posted: Fri Jan 25, 2019 3:05 am
by pcunite
No harm in sharing it if you can. I don't use this feature, but might someday.

Re: Radius - wireless login - to Active Directory

Posted: Fri Jan 25, 2019 4:32 am
by Cvan
Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!
MIKROTIK MAP LITE
In wireless security profile:

GENERAL tab
WPA EAP / WPA2 EAP
unicast/group ciphers aes ccm / tkip

RADIUS tab
nothing checked

EAP tab
EAP Methods = passthrough
TLS Mdoe: dont verify cert
TLS Cert: none

ACTIVE DIRECTORY (2012 server)
Dashboard manager, added Active Directory Certificate Services / Certification Authority / * ALL certificate options

NPS (Network Policy Server)

Added the MT as a RADIUS client, etc..
Added Network Policy:
Condition: added 802.11 NAS Port type
Condition: added Windows Groups (Domain Users)

Constraints Tab:
Auth method: EAP (PEAP)
Auth method: MS-Chap-V2 checked (Not needed)
Everything else default

Tested and Working CLIENT DEVICES:

Windows 10:
Added a new wifi network connection with settings:
Network name: Name of your SSID on MAP Lite
Security Type:WPA2-Enterprise AES
EAP Method: EAP (PEAP)
Auth Method (EAP-MSCHAP v2)

Linux (Debian Jessie)
/etc/NetworkManager/system-connections/wifi connection

key-mgmt=wpa-eap
phase1-peapver=0
phase2-auth=mschapv2
*********** system-ca-certs=FALSE **********

iPhone
Prompted for username and password; then prompted for CA and click trust cert and that was it

Re: Radius - wireless login - to Active Directory

Posted: Thu Aug 22, 2019 2:45 pm
by hchituwu
Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!
Please may you share the details, i am trying to authenticate my wifi users on mikrotik AP using the AD via the NPS server. please please assist.

Re: Radius - wireless login - to Active Directory

Posted: Thu Aug 29, 2019 4:20 am
by Cvan
Still works for me.. What is your issue?

However, I never did get the Framed-Pool attribute to work for Radius Wifi connections.
The attribute gets returned by NPS as I can see it in the log; but the client never gets assigned an IP address from the MT address pool that is referenced by framed-pool attribute...

Re: Radius - wireless login - to Active Directory

Posted: Fri Nov 04, 2022 2:00 pm
by TroyQ
Okay, I got this working with a bit more trial and error. If anyone wants the info let me know. Ta!
MIKROTIK MAP LITE
In wireless security profile:

GENERAL tab
WPA EAP / WPA2 EAP
unicast/group ciphers aes ccm / tkip

RADIUS tab
nothing checked

EAP tab
EAP Methods = passthrough
TLS Mdoe: dont verify cert
TLS Cert: none

ACTIVE DIRECTORY (2012 server)
Dashboard manager, added Active Directory Certificate Services / Certification Authority / * ALL certificate options

NPS (Network Policy Server)

Added the MT as a RADIUS client, etc..
Added Network Policy:
Condition: added 802.11 NAS Port type
Condition: added Windows Groups (Domain Users)

Constraints Tab:
Auth method: EAP (PEAP)
Auth method: MS-Chap-V2 checked (Not needed)
Everything else default

Tested and Working CLIENT DEVICES:

Windows 10:
Added a new wifi network connection with settings:
Network name: Name of your SSID on MAP Lite
Security Type:WPA2-Enterprise AES
EAP Method: EAP (PEAP)
Auth Method (EAP-MSCHAP v2)

Linux (Debian Jessie)
/etc/NetworkManager/system-connections/wifi connection

key-mgmt=wpa-eap
phase1-peapver=0
phase2-auth=mschapv2
*********** system-ca-certs=FALSE **********

iPhone
Prompted for username and password; then prompted for CA and click trust cert and that was it
Worked 100% PERFECT! THANK YOU!!!
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/