MikroTik VPN + HotSpot

[Alan DeKok]

On Feb 10, 2025, at 7:20 PM, Adnan RIHAN <axel50397 at gmail.com> wrote:
> It works great, users and computers are members of the AD, so it’s using mschapv2 and ntlm_auth.

  That's good.

> Now, I would like to setup a hotspot on mikrotik to authenticate the users to the same Samba AD, the thing is, Mikrotik only supports CHAP and PAP. As far as I understand, Samba AD only supports mschapv2 so it seems I’m stuck with PAP as the common mechanism. Am I right ?

  If the RADIUS server receives User-Password (ie. PAP),then you can skip ntlm_auth, and just verify the password directly via the LDAP module.  See mods-available/ldap for more information.

> If so, as I’m still using the default site, is there a guide to use ntlm_auth with PAP as a fallback mechanism if mschap and eventually chap (keeping it just in case I can use it for something else later) fail? Or do you guys have a better idea for my needs please?

  You don't configure a "fallback" mechanism.  The server receives either PAP or MS-CHAP, and then authenticates the user.

  You should set it up so that PAP requests get authenticated via LDAP, and MS-CHAP requests use ntlm_auth.

  Alan DeKok.