Whether you need to authenticate your users for PPP or any other Mikrotik service, you can do that either through the internal database or using the external RADIUS server. So in this case, what we will do, Windows AD will perform as an external RADIUS server.
In a nutshell, the user will be able to sign in to the VPN using the same credentials they use for their AD user accounts which they use to login to their computers. This is also termed as Single Sign-On or SSO.
FOR ILLUSTRATION PURPOSE WINDOWS SERVER 2016 HAS BEEN USED
NOTE:
1.) Microsoft AD works in LDAP protocol, but Mikrotik does not support LDAP protocol. So we will be using RADIUS protocol to authenticate between AD & Mikrotik, as Radius is supported by the later. The Remote Authentication Dial-In User Service protocol is described in RFC 2865.
2.) To get started with the RADIUS server on Windows AD (after 2008 R2), there is an in-built feature “Network Policy Server” or NPS which we need to add to the server roles to get it all up running.
Fundamentally, we need:
- At any rate, one working AD server, Domain Controller
- Your clients as of now can sign on to this area and work normally with other system administrations, similar to record servers
- In any event, one server in that must have an NPS feature enabled
- Your Mikrotik gadget must be appropriately arranged for other network stuff and open from your local network and the Internet
If you don’t mind note the accompanying data:
- All LAN IP addresses of all devices you will utilize
- The short domain name (like Contoso)
- All user groups in that domain which you want to use this service
- Password policies check
At the point when each one of those means is satisfied, we can proceed with this procedure.
Step 1: Click on “Add roles and features” from the Server Manager Dashboard:
Step 2: Select Installation type as Role-based or feature-based installation:
Step3: Select the destination server, if you have only one server then you will see only one server here, if you have a cluster, you should use the Domain Controller server.
Step 4: Select Network Policy and Access Services in Server Roles & install it, do a restart if it requires to do it.
Configuring NPS on Windows Server:
Step 1: Search for Network Policy Server on Windows Server:
Step 2: Right-click on NPS(local) & click on Register Server in Active Directory:
Step 3: Go to RADIUS CLIENTS 7 SERVERS > RADIUS CLIENTS & right-click & add new
Step 3- Put some friendly name for your Mikrotik Router here & put the IP address of your Mikrotik here. Make sure that you can ping the router from the server.
In the shared secret part put a strong key & make sure you remember it because Mikrotik will need this key to connect with the AD server.
Step 4- Go to policies > Connection Request Policies, you will find “Use Windows authentication for all users”, edit it & put the source to “unspecified”.
Step5- Go to Policies > Network Policies > Right-click & add new
- Put a Policy Name, click next
In Specify Conditions Tab, go to Add… button & then select Windows Group:
Specify the group of the user you want to give access to this VPN service, for illustration, I added Domain Users, so by default, this service will be available for all the users in the Domain by doing so:
Do Next & click on Access Granted on the next page.
Step 6: Tick the CHAP Encrypted Authentication from the below list & EAP types add Protected EAP (PEAP)
Do, next > next & finish
Here configuration finishes on AD
Configuring Mikrotik Router:
1.) Go to PPP > Secrets > PPP Authentication & Accounting > Tick on Use Radius
2.) Go to Radius;
3.) Click on the plus button on RADIUS:
- Select Service PPP
- Put the name of your Domain like “test.local”
- Address of the Domain in Address field
- In Secret field, put the secret which we entered in the AD Radius Client
- In the Source Address put the IP of the MT router
That is it, make sure the port numbers are correct, apply & save.
Make sure you have L2TP setup on Mikrotik for shared secret or certificate in case of SSTP VPN
Now you are all ready to connect to VPN through Mikrotik using your AD accounts.