Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

AD authentication for wlan connections

Post Reply
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

AD authentication for wlan connections

Wed Nov 26, 2014 10:46 am

Device: rb433gl, ros 6.7, 2x wlan.

I'm trying to setup a wlan on microtik so that users will use their username/password in AD to connect.

I've got to the point where computers that are members of the domain (and has a certificate from the domain installed) will connect using the certificate and not ask for username/password. But I want this to work with computers/mobiles that are not members of the domain. I want them to type in their (domainname/)username/password.

I've got it working on a cisco AP using this guide:
http://jackstromberg.com/2013/05/tutori ... up-policy/

As it works on the cisco and not on the mikrotik I guess the radius server is setup correctly, and I think there must be something in the cisco config that I've missed when trying to do the same in mikrotik.

Here is what I have on the running config, the one that (unintentionally) works with domain certificate authentication, but not with (domain/)username/password authentication.
Code: Select all
/radius
add address=10.61.6.55 secret=password service=ppp,login,wireless src-address=10.61.6.216

/interface wireless security-profiles
add authentication-types=wpa-eap,wpa2-eap mode=dynamic-keys name="WIFIradius" radius-eap-accounting=yes radius-mac-mode=as-username-and-password supplicant-identity="WIFI216" tls-mode=dont-verify-certificate

/interface wireless
add disabled=no l2mtu=2290 mac-address=02:0C:42:6C:B8:AA master-interface=wlan1 name=C-WIFI security-profile="WIFIradius" ssid=testWIFI wds-cost-range=0 wds-default-cost=0
When using domain\user and password to connect from a pc not member of the domain, the radius server denies access logging the following:
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
So it seems like the mikrotik sends some kind of certificate to the radius server, and not the username/password.

Which setting am I missing?
Top
 
lucky79
Member Candidate
Member Candidate
Posts: 126
Joined: Sat Sep 27, 2014 1:24 pm
Location: Czech Republic

Re: AD authentication for wlan connections

Wed Nov 26, 2014 4:20 pm

I have had this configured some time ago without the certificate verification and all of the setting was on the radius server and client. Mikrotik was just passing the authentication requests to the radius server. The security profile setting export is below and it was working fine against linux freeradius server verifying to AD using NTLM.
Code: Select all
/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=\
    aes-ccm group-key-update=5m interim-update=0s management-protection=\
    disabled management-protection-key="" mode=dynamic-keys name=radius \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity=test tls-certificate=none \
    tls-mode=dont-verify-certificate unicast-ciphers=aes-ccm \
    wpa-pre-shared-key="" wpa2-pre-shared-key=""

/radius
add accounting-backup=no accounting-port=1813 address=172.31.83.23 \ 
    authentication-port=1812 called-id="" disabled=yes domain="" realm="" \
    secret=XXXXXXX service=wireless timeout=300ms
Top
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: AD authentication for wlan connections

Fri Nov 28, 2014 2:24 am

Thanks. Your config did the trick. This config now works excellent with radius on windows server 2012.
The required changes was mac-mode=username, and disable eap-accounting.
Top
 
lucky79
Member Candidate
Member Candidate
Posts: 126
Joined: Sat Sep 27, 2014 1:24 pm
Location: Czech Republic

Re: AD authentication for wlan connections

Fri Nov 28, 2014 11:13 am

I thought the problem might be in the mac-mode but was not exactly sure :) I am glad its working for you now
Top
 
hchituwu
just joined
Posts: 2
Joined: Fri Nov 02, 2018 10:15 am

Re: AD authentication for wlan connections

Fri Aug 16, 2019 11:29 pm

Hie guys is there a way i can test locally if my radius is working well, same tool as radtest on freeradius that i can use on NPS, my mikrotik requests are not seen on event viewer.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 25 guests
  4. RouterOS
  5. Wireless Networking