AAA with Active Directory

From MikroTik Wiki
Jump to navigation Jump to search

Also refer to this forum post:

How to setup Hotspot AAA Microsoft IAS RADIUS for use with MikroTik – By Rodney Yeo: [1]

Example One

MT setup

 /radius add
   service=ppp,wireless
   address=<ip address of AD server>
   secret=<password for RADIUS service on AD server>
   authentication_port=1812
   accounting_port=1813
 /ip ppp AAA
   use_radius=yes
   accounting=yes
 /ip ppp pptp-server
   enabled=yes
   authentication=mschap1,mschap2

Windows Setup

 Start->Control Panel-Administrative Tools->Internet Authentication Service
 Right-click on RADIUS Clients->New
 Friendly Name: MikroTik
 Address: <ip address of MT>
 Client-Vendor: RADIUS Standard
 Shared secret: <password used to access the RADIUS service>

Example Two

Part A - Setup IAS RADIUS on Active Directory Services

Setup IAS on a server acting as Active Directory Services Domain Controller and register it’s services. File:IAS-Setup1.JPG

Give a meaningful description and enable logging for authentication status. File:IAS-Setup2.JPG

User respective 1812 for Authentication and 1813 for Accounting port only. File:IAS-Setup3.JPG

Create a Realms profile, find “User-Name” replace it with “DOMAIN\User-Name” variables into IAS. File:IAS-Setup4.JPG

Create a “hotspot.com” client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Vendor to RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box. File:IAS-Setup5.JPG

Enable Remote Access Logging check box for all properties. File:IAS-Setup6.JPG

Select IAS Format and set Log Time Period to Daily. File:IAS-Setup7.JPG

Create Remote Access Policies profile to “hotspot.com”. Add “Windows-Groups” matches “DOMAIN\Username” profile. Enable Grant remote access permission. File:IAS-Setup8.JPG

At Authentication tab Enable check box for “MS-CHAP v2, MS-CHAP, CHAP and PAP” method. Note HotSpot only uses PAP method. File:IAS-Setup9.JPG

At Encryption tab Enable all the check box allowed by this profile. File:IAS-Setup10.JPG

At Advance tab do not add any additional connection attributes. File:IAS-Setup11.JPG


Part B - Setup IAS RADIUS with MikroTik

Add a RADIUS server profile and enable service for “hotspot”. Enter IP Address of IAS RADIUS server. Enter the same password created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms. File:IAS-MT-Config1.JPG

At “Hotspot Server Profiles” Login By check “HTTP PAP” only. File:IAS-MT-Config2.JPG

At “Hotspot Server Profiles” check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or change to 15 (Ethernet) mode. File:IAS-MT-Config3.JPG


Part C – Testing IAS RADIUS with PC

  1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/
  2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.
  3. Enter the IAS RADIUS server IP Address and port “1812” for Request Type “Authentication Request” mode followed by the RADIUS Secret Key. File:IAS-Test1.JPG
  4. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply will be “Access-Accepted”.
  5. Next change port to “1813” for Request Type “Accounting Start” click send and reply should be “Accounting-Response” if the RADIUS server is working. File:IAS-Test2.JPG

Part D – Activating Domain Users for IAS RADIUS

Check for respective User properties if they are member of “RAS and IAS Server” groups, if not add them as group members. File:AD-User IAS1.JPG

Next check the Dial-in tab and enable Allow access for Remote Access Permission. File:AD-User IAS2.JPG


Part E – Windows Server 2012

On Windows 2012 Server Active Directory passwords need to be stored using reversible encryption. Open Global Policy Manager and under Computer configuration - Policies - Windows Settings - Security Settings - Account Policies - Password Policy - Set "Store Passwords using reversible encryption" to enabled.

IMPORTANT: In a PowerShell (CMD) Windows run "gpudate" to enable the changes. Please note existing passwords may not work until they have been reset as they may still be stored in a format that is not Mikrotik friendly.