MikroTik

I'm trying to setup a RB450G(ros 5.24) with PPTP VPN/RSA SecurID token authentication. PPTP connectivity works with local user authentication, but errors out with RADIUS. I've enabled AAA authentication for router admin login and I can telnet into the RB450G fine:

16:18:44 radius,debug new request 0d:2c code=Access-Request service=login
16:18:44 radius,debug sending 0d:2c to 192.168.1.36:1812
16:18:44 radius,debug,packet sending Access-Request with id 82 to 192.168.1.36:1812
16:18:44 radius,debug,packet Signature = 0x3d...
16:18:44 radius,debug,packet Service-Type = 1
16:18:44 radius,debug,packet User-Name = "spotts78"
16:18:44 radius,debug,packet User-Password = 0x34...
16:18:44 radius,debug,packet Calling-Station-Id = "192.168.1.98"
16:18:44 radius,debug,packet NAS-Identifier = "VPNTEST"
16:18:44 radius,debug,packet NAS-IP-Address = 192.168.1.14
16:18:48 radius,debug,packet received Access-Accept with id 82 from 192.168.1.36:1812
16:18:48 system,info,account user spotts78 logged in from 192.168.1.98 via telnet

When I try PPTP with AAA I get this:

16:18:13 radius,debug new request 1b:6f code=Access-Request service=ppp called-id=192.168.1.14
16:18:13 radius,debug sending 1b:6f to 192.168.1.36:1812
16:18:13 radius,debug,packet sending Access-Request with id 81 to 192.168.1.36:1812
16:18:13 radius,debug,packet Signature = 0x13...
16:18:13 radius,debug,packet Service-Type = 2
16:18:13 radius,debug,packet Framed-Protocol = 1
16:18:13 radius,debug,packet NAS-Port = 61
16:18:13 radius,debug,packet NAS-Port-Type = 5
16:18:13 radius,debug,packet User-Name = "spotts78"
16:18:13 radius,debug,packet Calling-Station-Id = "192.168.1.98"
16:18:13 radius,debug,packet Called-Station-Id = "192.168.1.14"
16:18:13 radius,debug,packet MS-CHAP-Challenge = 0x57...
16:18:13 radius,debug,packet MS-CHAP2-Response = 0x01...
16:18:13 radius,debug,packet 8e96...
16:18:13 radius,debug,packet f7d4...
16:18:13 radius,debug,packet 48b0
16:18:13 radius,debug,packet NAS-Identifier = "VPNTEST"
16:18:13 radius,debug,packet NAS-IP-Address = 192.168.1.14
16:18:13 radius,debug,packet received Access-Reject with id 81 from 192.168.1.36:1812
16:18:13 radius,debug,packet Signature = 0x0c...
16:18:13 radius,debug received reply for 1b:6f
16:18:13 pptp,ppp,info <pptp-0>: terminating... - user spotts78 authentication failed
16:18:13 pptp,ppp,info <pptp-0>: disconnected

Anyone have experience with RSA Authentication manager to know what my problem might be?

Seems like your radius server is not set to allow dial in / vpn connection type for the username you're providing.

Nice post man ! hope you will be do better in future with more informative ideas and information . Thank you

I'm quite sure the authentication server is not set to allow NAS-Port-Type = 5 for the username provided. (This is just another term for telling the same as I did on april 24th)

Turns out the RSA RADIUS server we're using only supports PAP, EAP-PEAP-GTC, EAP-TTLS-PAP, and EAP-TTLS-GTC protocols for authentication. I'm guessing when I telnet in it uses PAP?

If it set both the PPTP server and client to use PAP, it works! BUT VERY INSECURE! Looks like the Mikrotik VPN servers only support PAP, CHAP, MSCHAP1, AND MSCHAP2 authentication protocols.

Any way to make this work beside PAP?