MikroTik配合Windows server 2016 NPS，IKEv2-VPN认证失败

e_zhangiso

这段时间闲来无事,想测试下ros的IPsec通过radius认证,按照MikroTik 2019 MUM专家的教程进行设置,Radius Server我使用的是Windows Server 2016 NPS,认证过程中,证书认证通过,帐户认证始终通不过,不知什么原因,后来将Radius Server更换为TekRADIUS,还是同样的结果,请各路大神解惑,附图:

strongSwan 认证失败日志:

Jul  5 16:26:32 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jul  5 16:26:32 00[DMN] Starting IKE service (strongSwan 5.9.1rc1, Android 9 - PAR-AL00 9.1.0.353(C00E351R1P1)/2020-07-01, PAR-AL00 - HUAWEI/PAR-AL00/HUAWEI, Linux 4.9.148, aarch64)
Jul  5 16:26:32 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jul  5 16:26:32 00[JOB] spawning 16 worker threads
Jul  5 16:26:32 06[IKE] initiating IKE_SA android[14] to 116.10.131.230
Jul  5 16:26:32 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul  5 16:26:32 06[NET] sending packet: from 10.10.53.112[41282] to 116.10.131.230[500] (716 bytes)
Jul  5 16:26:33 07[NET] received packet: from 116.10.131.230[500] to 10.10.53.112[41282] (38 bytes)
Jul  5 16:26:33 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jul  5 16:26:33 07[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jul  5 16:26:33 07[IKE] initiating IKE_SA android[14] to 116.10.131.230
Jul  5 16:26:33 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul  5 16:26:33 07[NET] sending packet: from 10.10.53.112[41282] to 116.10.131.230[500] (908 bytes)
Jul  5 16:26:33 10[NET] received packet: from 116.10.131.230[500] to 10.10.53.112[41282] (429 bytes)
Jul  5 16:26:33 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jul  5 16:26:33 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul  5 16:26:33 10[IKE] local host is behind NAT, sending keep alives
Jul  5 16:26:33 10[IKE] sending cert request for "DC=net, DC=testenterprise, CN=testenterprise-DC-CA"
Jul  5 16:26:33 10[IKE] establishing CHILD_SA android{13}
Jul  5 16:26:33 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul  5 16:26:33 10[NET] sending packet: from 10.10.53.112[44067] to 116.10.131.230[4500] (448 bytes)
Jul  5 16:26:33 14[NET] received packet: from 116.10.131.230[4500] to 10.10.53.112[44067] (2096 bytes)
Jul  5 16:26:33 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul  5 16:26:33 14[IKE] received end entity cert "CN=ikev2.vpn.net"
Jul  5 16:26:33 14[CFG]   using certificate "CN=ikev2.vpn.net"
Jul  5 16:26:33 14[CFG]   using trusted ca certificate "DC=net, DC=testenterprise, CN=testenterprise-DC-CA"
Jul  5 16:26:33 14[CFG] checking certificate status of "CN=ikev2.vpn.net"
Jul  5 16:26:33 14[CFG]   fetching crl from 'ldap:///CN=testenterprise-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testenterprise,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
Jul  5 16:26:33 14[LIB] unable to fetch from ldap:///CN=testenterprise-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testenterprise,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
Jul  5 16:26:33 14[CFG] crl fetching failed
Jul  5 16:26:33 14[CFG] certificate status is not available
Jul  5 16:26:33 14[CFG]   reached self-signed root ca with a path length of 0
Jul  5 16:26:33 14[IKE] authentication of 'ikev2.vpn.net' with RSA signature successful
Jul  5 16:26:33 14[IKE] server requested EAP_IDENTITY (id 0x00), sending 'itest1'
Jul  5 16:26:33 14[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Jul  5 16:26:33 14[NET] sending packet: from 10.10.53.112[44067] to 116.10.131.230[4500] (80 bytes)
Jul  5 16:26:34 11[NET] received packet: from 116.10.131.230[4500] to 10.10.53.112[44067] (272 bytes)
Jul  5 16:26:34 11[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]
Jul  5 16:26:34 11[IKE] received EAP_FAILURE, EAP authentication failed
Jul  5 16:26:34 11[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Jul  5 16:26:34 11[NET] sending packet: from 10.10.53.112[44067] to 116.10.131.230[4500] (80 bytes)