November 25, 2017 at 18:31Authorization via Network Policy Server (NPS) for MikroTik
- From the sandbox
- Tutorial
How to quickly and easily configure authorization through RADIUS from Microsoft? I think this will help those who want to be able to access MikroTik devices through a friendly WinBox and simple SSH.
Adding a RADIUS client;
Creating a connection policy;
Creating a network policy;
Adding an authorization server to MikroTik;
Verification through SSH and WinBox.
We have a Windows Server 2016 Datacenter with a domain already installed.
We select the server on which the role will be deployed. Microsoft does not recommend doing this on a domain controller, but in some best practices they advise putting it on it to reduce delays. Add the Network Policy and Access Server role along with management tools for configuration.
We start the NPS admin panel in any convenient way. For example, through the server manager.
We register the NPS server in AD.
For an example, I add my MikroTik wAP. Friendly name set as Identity on the device and IP set on its only wired interface. In order for the device to be able to log in to the server, you need to enter the key. It is created on the server either manually or is generated automatically. I preferred the second option.
Vendor name we will stop on standard RADIUS.
Device added.
We select the appropriate name for the policy.
We determine our device with which the server will work.
I chose only Client Friendly Name with a value of Router01. This clearly binds this policy item to the device through the created client. You can identify your Mikrotik device by Identity by selecting NAS Identifier.
Without preconfiguration of the device Identity = MikroTik.
Further policy settings.
At the stage of choosing an authentication protocol, it is enough to select an unencrypted (which you will get a warning about) PAP for SSH or encrypted CHAP for WinBox. I chose both. If there is a need to use the web version, then just turn on MS-CHAPv2, otherwise everything is the same.
Actually, a warning about choosing an unsafe method. Offer to read step-by-step reference material.
At this stage, I did not touch anything.
Final policy settings.
I did not manage to reproduce it through PowerShell, even a standard example with technet . I would be grateful if you tell me why.
Select the desired priority by moving the policy item higher or lower.
Let's call her Routers.
As before, conditions need to be defined.
In AD, I have created an additional user in the Domain Admins group. I choose the Windows Group condition based on the fact that all domain administrators can access MikroTik.
Permissive or prohibitive rule. We will allow everyone who is subject to the condition.
The authentication method is similar to the previous policy.
Based on the need, you can configure additional settings. I left unchanged.
Next, you need to choose what will be sent to the server.
The resulting network policy settings.
Choose the necessary priority among other policies, if necessary.
In order for the account to be verified through NPS in AD for this user, the Control access through NPS Network Policy item must be checked on the Dial-in tab in the Network Access Permission section.
To be able to log in through WinBox, you need to enable reversible encryption in your user profile.
In System / Users and on the Users tab, enable Use RADIUS. By default, read-only access is selected.
Open the Radius settings and add a new server. The service is selected based on the destination. Better, of course, to share access between them. Address - the address of the server on which NSP is installed.
Secret - the key that was generated at the stage of adding the client to the server.
And we check authorization in Winbox.
As you can see, in active users, the system admin and both connections of the domain user with read access through SSH and Winbox hang.
Everything works.
Thanks for attention.
Plan:
Setting the NPS roleAdding a RADIUS client;
Creating a connection policy;
Creating a network policy;
Adding an authorization server to MikroTik;
Verification through SSH and WinBox.
Installing the NPS Role
We have a Windows Server 2016 Datacenter with a domain already installed.
We select the server on which the role will be deployed. Microsoft does not recommend doing this on a domain controller, but in some best practices they advise putting it on it to reduce delays. Add the Network Policy and Access Server role along with management tools for configuration.
Install-WindowsFeature NPAS -IncludeManagementToolsWe start the NPS admin panel in any convenient way. For example, through the server manager.
We register the NPS server in AD.
netsh ras add registeredserverAdding a RADIUS Client
In order for the server to know with which devices to establish communication, you need to add them to RADIUS Clients.For an example, I add my MikroTik wAP. Friendly name set as Identity on the device and IP set on its only wired interface. In order for the device to be able to log in to the server, you need to enter the key. It is created on the server either manually or is generated automatically. I preferred the second option.
New-NpsRadiusClient –Address "10.1.1.21" –Name "router01" –SharedSecret "egEcM4myJCptphGlZ1UymS#qLh^urp@fJ1hF8dE6dwb27NI^oIJtTWKKp^MEsU6p"Vendor name we will stop on standard RADIUS.
Device added.
Create a connection policy
We select the appropriate name for the policy.
We determine our device with which the server will work.
I chose only Client Friendly Name with a value of Router01. This clearly binds this policy item to the device through the created client. You can identify your Mikrotik device by Identity by selecting NAS Identifier.
Without preconfiguration of the device Identity = MikroTik.
Further policy settings.
At the stage of choosing an authentication protocol, it is enough to select an unencrypted (which you will get a warning about) PAP for SSH or encrypted CHAP for WinBox. I chose both. If there is a need to use the web version, then just turn on MS-CHAPv2, otherwise everything is the same.
Actually, a warning about choosing an unsafe method. Offer to read step-by-step reference material.
At this stage, I did not touch anything.
Final policy settings.
I did not manage to reproduce it through PowerShell, even a standard example with technet . I would be grateful if you tell me why.
netsh nps add crp name = "Request Policy Router01" state = "ENABLE" processingorder = "1" policysource = "0" conditionid ="0x1020" conditiondata = "router01" profileid = "0x1025" profiledata = "0x1" profileid = "0x1009" profiledata = "0x1" "0x2" profileid = "0x1fb0" profiledata = "TRUE"Select the desired priority by moving the policy item higher or lower.
Create Network Policy
Let's call her Routers.
As before, conditions need to be defined.
In AD, I have created an additional user in the Domain Admins group. I choose the Windows Group condition based on the fact that all domain administrators can access MikroTik.
Permissive or prohibitive rule. We will allow everyone who is subject to the condition.
The authentication method is similar to the previous policy.
Based on the need, you can configure additional settings. I left unchanged.
Next, you need to choose what will be sent to the server.
The resulting network policy settings.
Choose the necessary priority among other policies, if necessary.
In order for the account to be verified through NPS in AD for this user, the Control access through NPS Network Policy item must be checked on the Dial-in tab in the Network Access Permission section.
To be able to log in through WinBox, you need to enable reversible encryption in your user profile.
Adding an authorization server to MikroTik
First we assign System / Identity to router01 and IP with a mask for the interface./system identity set name=router01
/ip address add address=10.1.1.21/24 interface=ether1 network=10.1.1.0In System / Users and on the Users tab, enable Use RADIUS. By default, read-only access is selected.
/user aaa set use-radius=yesOpen the Radius settings and add a new server. The service is selected based on the destination. Better, of course, to share access between them. Address - the address of the server on which NSP is installed.
Secret - the key that was generated at the stage of adding the client to the server.
/radius add address=10.1.1.1 secret=egEcM4myJCptphGlZ1UymS#qLh^urp@fJ1hF8dE6dwb27NI^oIJtTWKKp^MEsU6p service=loginVerification via SSH and WinBox
Verify connectivity through SSH and export the configuration.And we check authorization in Winbox.
As you can see, in active users, the system admin and both connections of the domain user with read access through SSH and Winbox hang.
Everything works.
Thanks for attention.