MikroTik

Hi guys, please, need help )

I can't configure authorized WiFi by EAP RADIUS by NSP Windows 2019 Server, was read many posts and do all, but nothing... ( Pelase could anybody help configure EAP for authorized to WiFi with Active Directory? Not need using any certs, just EAP auth. But I have godd working RADIUS for logon on MT and all is ok, but can't configure RADIUS for EAP...so sad.

I am used it: https://soft-setup.ru/nastrojka-wifi-av ... -mikrotik/ and this: https://habr.com/ru/post/536648/ and this: https://mum.mikrotik.com/presentations/ ... 293520.pdf

Mikrotik some conf:
/caps-man interface
add arp-timeout=auto channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2422 channel.tx-power=20 comment="AP" configuration.country=russia4 configuration.disconnect-timeout=3m configuration.distance=indoors configuration.frame-lifetime=7s configuration.installation=indoor configuration.keepalive-frames=enabled configuration.max-sta-count=40 configuration.multicast-helper=default configuration.rx-chains=0,1,2,3 configuration.ssid=TEST configuration.tx-chains=0,1,2,3 datapath.bridge="LAN Bridge" disabled=no l2mtu=1600 mac-address=2C:A8:1B:9A:5E:D9 master-interface=none name=AP radio-mac=2C:A8:1B:9A:5E:D9 radio-name=2CA81B9A5ED9 security.authentication-types=wpa2-eap security.eap-methods=passthrough security.encryption=aes-ccm security.group-encryption=aes-ccm

And attach screens from NPS

And logs said about: EAP failure or rejected... ( Whta can I do? Anybody pelase advice? Thanks.

I have done a bunch of configurations using NPS that is usually the root cause of most problems. NPS is a rather complex hack that unfortunately is pretty hard to troubleshoot. You have to work with the Windows Event logs and/or a NPS troubleshooting tool.

If this is your first attempt to fix a Radius/NPS configuration I'd hire a consultant for a basic setup to start with. Also, providing non-English NPS screenshots doesn't really make it any easier to understand you config either.

Checkout: "Windows NPS troubleshooting"

Thx, but I have working RADIUS with auth MT and all is ok, but WiFi EAP won't auth and I don't know why? All logs is normal on NPS, could anybody tell me good solution for configuration NPS for EAP with auth MT? Please? I has created new Active Directory at home and got the same issue... ( Reject from NPS... and as I said NPS tell me all is good and if I trying connect to MT using NSP = all is ok.

If Auth fails you have to look for the reason in the event logs. Start by enable NPS auditing according to "Network Policy Server troubleshooting guidance". For NPS examples google "Wi-Fi EAP Windows NPS".

Larsa so thx, I got this code num: 6273 without code 16 and I am not using cert, but I am add regedit like here: https://rapididentity.my.site.com/suppo ... f-metadata and the same issue. I think trouble in parameter NPS with MT, because I am not exactly know what settings need to be set.

Test is: Rejected.

1812,1813 all UDP is open, other IAS ports is deleted in IAS properties... Why reject OMG )

I have yet to have NTRadPing work with NPS. Really need to look at the event log to see why. I will give you in abundant detail why it denies a connection.

I seen more than 20 videos on youtube and i saw where dude connect without cert and all is ok, I doing exactly the same settings and = reject, but when trying login to MT = RADIUS is ok. WTF and WHY? I am using MS_CHAPv2 for EAP because EAP (PEAP) need a cert, but I won't using cert for all phones and devices... How configure and why reject? My NSP sure registered in domain - active directory.

Results:

1. With EAP (PEAP) - need cert CA for example - DC1 selfsig, and then I choosed EAP-MSCHAPv2 = all worked, but on phones and other device pop up message about not trusted cert;
2. With EAP-MSCHAPv2 without cert NOT working ever! WHY?

How I can using EAP-MSCHAPv2 without using cert? All screens below:

Enable NPS auditing and consult the event logs.

NPS auditing is enabled and as I said, I got the same error every time: 6273 - this is error cert. My question about - can I using and gow configure EAP-MSCHAPv2 without cert? If choice EAP-MSCHAPv2 password in policy = Reject for any way, what you any do and any other trying settings = REJECT and working with cert EAP (PEAP) choice only and inside this set have MSCHAPv2 = this worked, but other way = no. I think no other solution, without cert. I've trying solved 2 days and nothing and no anybody help and tell me what can I do for using just password MSCHAPv2 for auth.

received Access-Reject with id 2 from 192.168.1.225:1812

NPS log file:
"DC1","IAS",07/12/2022,10:48:38,4,,,,,,,"APHA","192.168.1.1",,0,"192.168.1.1","mt",,,,,,,,,0,,,,,,7,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,
"DC1","IAS",07/12/2022,10:50:46,1,"user","DOM\user","74-4D-28-BE-83-B3:APW2_TEST","92-1C-FE-99-2E-54",,,"APHA","192.168.1.1",,0,"192.168.1.1","mt",,,19,,,2,5,"MT EAP",0,"311 1 192.168.1.225 07/12/2022 03:43:33 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"MT EAP",1,,,,
"DC1","IAS",07/12/2022,10:50:46,11,,"DOM\user",,,,,,,,0,"192.168.1.1","mt",,,,,,,5,"MT EAP",0,"311 1 192.168.1.225 07/12/2022 03:43:33 1",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"MT EAP",1,,,,
"DC1","IAS",07/12/2022,10:50:46,1,"user","DOM\user","74-4D-28-BE-83-B3:APW2_TEST","92-1C-FE-99-2E-54",,,"APHA","192.168.1.1",,0,"192.168.1.1","mt",,,19,,,2,5,"MT EAP",0,"311 1 192.168.1.225 07/12/2022 03:43:33 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"MT EAP",1,,,,
"DC1","IAS",07/12/2022,10:50:46,3,,"DOM\user",,,,,,,,0,"192.168.1.1","mt",,,,,,,5,"MT EAP",22,"311 1 192.168.1.225 07/12/2022 03:43:33 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"MT EAP",1,,,,

But if using EAP (PEAP) - all is WORKING normal, but phones and other devices tells about - not trusted cert, but I am not need this message for users, I need auth EAP-MSCHAPv2 only, how can I do this? All screens and logs I put this topic.

Friends, anybody know, how configure with just EAP-MSCHAPv2 only please?

Google:

• Wi-fi "EAP-MSCHAPv2" windows NPS
• "PEAP-EAP-MSCHAPv2" Windows "NPS"

Examples:

• WPA2-Enterprise with AD and PEAP-EAP-MSCHAPv2 (youtube)
• Set up a RADIUS Server on Windows Server 2019 for 802.1X Wireless Connections
• RADIUS - EAP-MSCHAP
• NPS CERTIFICATE SETUP FOR PEAP/EAP-MSCHAPV2 WIRELESS AUTHENTICATION ON WINDOWS SERVER

Larsa so thx, but I seen all this URLs and manuals, and EAP-MS-CHAP v2 - not working yet. Microsoft says about 1. EAP-MS-CHAP v2 is available only with PEAP. And as I said need cert 99.9% and it's so sad... but true. If anybody can set without cert, please let me know? Thank you!

As this is a NPS related issue you will probably get better help from a MS forum like MS Tech Community - Windows Server Hub

Hi,

Nothing working with windows server 2022, same setup of this post

some can tell me if NPS windows 2022 is working with mikrotik / radius

Thank you for your answer