⬆️ ⬇️

Authorization through Network Policy Server (NPS) for MikroTik

How to quickly and easily set up authorization via Microsoft RADIUS? I think this will help those who want to be able to access MikroTik devices via a friendly WinBox and simple SSH.



Plan:

Installing the NPS role;

Add RADIUS client;

Creating a connection policy;

Creating a network policy;

Add authorization server to MikroTik;

Check through SSH and WinBox.



Installing the NPS Role



We have Windows Server 2016 Datacenter with an already established domain.



image

')

Select the server on which the role will unfold. Microsoft does not recommend doing this on a domain controller, but in some best practices, to reduce delays, they give advice to put it on him. Add the role of the Network Policy and Access Server along with management tools for configuration.



Install-WindowsFeature NPAS -IncludeManagementTools 


image



image



image



image



Run the NPS admin panel in any convenient way. For example, through the server manager.



image



Register the NPS server in AD.



 netsh ras add registeredserver 


image



Add RADIUS client

In order for the server to know which devices to communicate with, you need to add them to RADIUS Clients.



image



For example, I add my MikroTik wAP. Friendly name installed both the Identity on the device and the IP specified on its only wired interface. In order for the device to authenticate on the server, you must enter the key. It is created on the server either manually or automatically generated. I preferred the second option.



 New-NpsRadiusClient –Address "10.1.1.21" –Name "router01" –SharedSecret "egEcM4myJCptphGlZ1UymS#qLh^urp@fJ1hF8dE6dwb27NI^oIJtTWKKp^MEsU6p" 


image



Vendor name we will stop on standard RADIUS.



image



Device added.



Create Connection Policy



image



We select the appropriate name for the policy.



image



We define our device with which the server will work.



image



I selected only the Client Friendly Name with the value Router01. This clearly binds this policy item to the device through the created client. You can identify a Mikrotik device by Identity by selecting NAS Identifier.



image



Without prior configuration of the device Identity = MikroTik.



image



Further policy setting.



image



At the authentication protocol selection stage, it suffices to select an unencrypted (which you will receive a warning about) PAP for SSH or encrypted CHAP for WinBox. I chose both. If there is a need to use the web version, then it is enough to enable MS-CHAPv2, otherwise everything is the same.



image



Actually, a warning about choosing an unsafe way. They suggest reading step-by-step reference material.



image



At this stage, I did not touch anything.



image



Summary policy settings.



I could not reproduce it through PowerShell, even the standard example with technet 'a. I would be grateful if you tell me why.



 netsh nps add crp name = "Request Policy Router01" state = "ENABLE" processingorder = "1" policysource = "0" conditionid ="0x1020" conditiondata = "router01" profileid = "0x1025" profiledata = "0x1" profileid = "0x1009" profiledata = "0x1" "0x2" profileid = "0x1fb0" profiledata = "TRUE" 


image



Select the desired priority by moving the item above or below the policy.



Creating network policy

image



Let's call it Routers.



image



As before, you need to define the conditions.



image



In AD, I have created an additional user in the Domain Admins group. I choose the condition of the Windows Group based on the fact that all domain administrators can get access to MikroTik.



image



image



Permissive or restrictive rule. We will allow anyone who has fallen under the condition.



image



The way of authentication is chosen similar to the previous policy.



image



Based on the need, you can configure additional settings. I left unchanged.



image



Next, you need to choose what will be sent to the server.



image



Final network policy settings.



image



We select the necessary priority among other policies, if necessary.



image



In order for an account to be verified via NPS in AD for this user, on the Dial-in tab in the Network Access Permission section, the item Control access through NPS Network Policy should be marked.



image



To be able to log in through WinBox, you need to enable reversible encryption in the user profile.



image



Adding an authorization server to MikroTik

First, assign System / Identity equal to router01 and IP with a mask for the interface.



 /system identity set name=router01 /ip address add address=10.1.1.21/24 interface=ether1 network=10.1.1.0 


image



In System / Users and on the Users tab, we enable the Use RADIUS option. By default, read-only access is selected.



 /user aaa set use-radius=yes 


image



Open the Radius settings and add a new server. Service is selected on the basis of destination. Better, of course, to share access between them. Address - the address of the server on which the NSP is installed.



Secret is the key that was generated at the stage of adding a client to the server.



 /radius add address=10.1.1.1 secret=egEcM4myJCptphGlZ1UymS#qLh^urp@fJ1hF8dE6dwb27NI^oIJtTWKKp^MEsU6p service=login 


image



Check through SSH and WinBox

Verify connectivity via SSH and export configuration.



image



And check the authorization in Winbox.



image



As you can see, the system admin and both connections of the domain user with read access via SSH and Winbox are hanging in the active users.



image



Everything is working.

Thanks for attention.

Source: https://habr.com/ru/post/343174/



All Articles