Mikrotik login with chap

Vsevolod_Trofimov · July 12, 2024, 6:57am

I have troubles with configuring of winbox login for Mikrotik router via privacyidea ->freeradius->AD. I’ve got following error:

LDAPPasswordIsMandatoryError(‘password is mandatory in simple bind’,). It sound like password sent to AD is empty

In freeradius -x debug I’ve found that password sent in encrypted CHAP-Password field

$RAD_REQUEST{‘CHAP-Password’} = &request:CHAP-Password → ‘***’

in other experiment with PAP l2tp authorization I have following message
$RAD_REQUEST{‘User-Password’} = &request:User-Password → ‘***’
password send in non-encrypted user-password field and authentication WORKING

Is it possible to make it working with CHAP encrypted password?

cornelinux · July 12, 2024, 4:12pm

No. If you do not send the password via RADIUS it can not be passed to AD.

Vsevolod_Trofimov · July 17, 2024, 5:55am

is it possible to login with chap using token’s pin as password instead of using AD password?

cornelinux · July 19, 2024, 2:27pm

Unfortunately not.
privacyIDEA needs to pin+otp to split them.