Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning.
Hi Dave, There always has been, using NPS + mschap. There's also various other protect auth mechanisms, not all supported by MikroTik. What are you using AAA for on the MikroTik side ? RJ Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi RJ, How so? I must be missing something obvious. Wifi Auth. Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 On 24 Apr 2016, at 12:42 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote: Hi Dave, There always has been, using NPS + mschap. There's also various other protect auth mechanisms, not all supported by MikroTik. What are you using AAA for on the MikroTik side ? RJ Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ________________________________________
Hi Dave, You'll want to use PEAP as your extensible auth protocol, this will encrypt the auth in tls. Also there's no requirement for storing the password as reversible within the user attributes in AD. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Dave Browning Sent: Monday, 25 April 2016 6:02 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Active Directory Reversible Encryption Hi RJ, How so? I must be missing something obvious. Wifi Auth. Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 On 24 Apr 2016, at 12:42 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote: Hi Dave, There always has been, using NPS + mschap. There's also various other protect auth mechanisms, not all supported by MikroTik. What are you using AAA for on the MikroTik side ? RJ Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ________________________________________ _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
The requirement for reversible encryption is any time you use CHAP authentication. This is a limitation of the CHAP protocol, not rOS as such. The only rOS feature we use that has to use CHAP is login, ie connecting to the device directly via SSH, WinBox, etc. I would love to see rOS upgraded to support other protocols for login - perhaps it has been and I haven't noticed, but we have some rOS 5.x devices around still. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of RJ Plummer Sent: Monday, 25 April 2016 2:26 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Active Directory Reversible Encryption Hi Dave, You'll want to use PEAP as your extensible auth protocol, this will encrypt the auth in tls. Also there's no requirement for storing the password as reversible within the user attributes in AD. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Dave Browning Sent: Monday, 25 April 2016 6:02 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Active Directory Reversible Encryption Hi RJ, How so? I must be missing something obvious. Wifi Auth. Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 On 24 Apr 2016, at 12:42 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote: Hi Dave, There always has been, using NPS + mschap. There's also various other protect auth mechanisms, not all supported by MikroTik. What are you using AAA for on the MikroTik side ? RJ Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ________________________________________ _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks Philip, my confusion was that we had to setup reversible encryption so we could use AD for logins to many virtual Mikro’s so I assumed it had to be done for WiFi auth. I actually lab’d up WiFi auth yesterday and discovered no need to setup reversible encryption. I agree though, it’d be nice to not have to use CHAP for SSH, Telnet, Winbox auth. Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 From: Philip Loenneker Sent: April 26, 2016 at 10:06:44 AM GMT+10 To: MikroTik Australia Public List Subject: Re: [MT-AU Public] Active Directory Reversible Encryption The requirement for reversible encryption is any time you use CHAP authentication. This is a limitation of the CHAP protocol, not rOS as such. The only rOS feature we use that has to use CHAP is login, ie connecting to the device directly via SSH, WinBox, etc. I would love to see rOS upgraded to support other protocols for login - perhaps it has been and I haven't noticed, but we have some rOS 5.x devices around still. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of RJ Plummer Sent: Monday, 25 April 2016 2:26 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Active Directory Reversible Encryption Hi Dave, You'll want to use PEAP as your extensible auth protocol, this will encrypt the auth in tls. Also there's no requirement for storing the password as reversible within the user attributes in AD. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Dave Browning Sent: Monday, 25 April 2016 6:02 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Active Directory Reversible Encryption Hi RJ, How so? I must be missing something obvious. Wifi Auth. Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 On 24 Apr 2016, at 12:42 PM, RJ Plummer <RJ.Plummer@4logic.com.au> wrote: Hi Dave, There always has been, using NPS + mschap. There's also various other protect auth mechanisms, not all supported by MikroTik. What are you using AAA for on the MikroTik side ? RJ Hi Guys, Is there ANY way to use AAA with AD and not have to do the reversible encryption thing in AD? If not, will there be in the future? Dave Browning | Network Engineer P 07 3369 7666 Level 1, 12 Railway Tce, Milton QLD 4064 This email and any files transmitted with it contain confidential information for the exclusive use of the intended recipient. If you received this email in error please notify Sentrian Pty Ltd immediately by return email to the sender and delete the original email. We do not guarantee that this email or any attached files are free of viruses. All recipients should undertake their own virus scanning. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au ________________________________________ _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (3)
-
Dave Browning
-
Philip Loenneker
-
RJ Plummer