Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26
  1. #11
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    35

    Default

    I just finished testing with a Windows 2012 server and once again, it's working without issue.

    I grabbed the Win2K12 R2 + Update ISO from MSDN and did a basic GUI server install. I used the Server Manager to add the Network Policy Server, and then I added my Untangle server as a RADIUS Client, and created a corresponding Network Policy entry with only MS-CHAP v2 enabled. My Windows 7 client connected the first time.

    I didn't setup active directory, so I assume it's just authenticating against the local user database. I don't think adding AD would make any difference, but if you're using it in your config let me know, and I can test with that.

    Also, I've assumed all along that you're testing with Untangle 12.0 but if that's not the case, let me know what version you're using.

    Mike

  2. #12
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    Thanks for the response. I've been out of town for a conference and am just getting back to this. Yes, I'm trying to authenticate against Active Directory. I'd like to avoid maintaining a local directory and also be able to automatically pass the windows login information in the VPN setup. Even if the user has to manually re-enter password, I'll get better user acceptance if it corresponds with their domain credentials.

  3. #13
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    I want to be sure that I have the correct settings for the RADIUS client. I've attached a few screen shots.1aSettings.png1bAdvanced.png2aOverview.png2bConstraints.png

  4. #14
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    35

    Default

    First... remember to let me know what version of Untangle you're using.

    The RADIUS Client config looks good.

    For your Network Policy, on the Conditions tab, you'll want to add the condition named "Client Friendly Name" with the Friendly name you used for the RADIUS Client you created. It should look something like this:

    Conditions.jpg

  5. #15
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    Just getting back to this. Getting the following in the Event Viewer: An Access-Request message was received from RADIUS client 192.168.10.1 with a Message-Authenticator attribute that is not valid.

  6. #16
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    This is what I'm getting from the NPS log when I do a successful test from the UT Directory Connector Radius page:
    "DC01","IAS",03/22/2016,17:08:06,1,"sam.mattern","SPECTRUMREPORTI\sam.mattern",,,,,,,,0,"192.168.10.1","Untangle",,,,,,,4,"VPN",0,"311 1 192.168.10.100 03/22/2016 21:07:55 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Virtual Private Network (VPN) Connections",1,,,,
    "DC01","IAS",03/22/2016,17:08:06,2,,"SPECTRUMREPORTI\sam.mattern",,,,,,,,0,"192.168.10.1","Untangle",,,,,1,2,4,"VPN",0,"311 1 192.168.10.100 03/22/2016 21:07:55 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x00535045435452554D5245504F525449",,,"Virtual Private Network (VPN) Connections",1,,,,

    This is what I'm getting when I attempt to connect from the windows client:
    "DC01","IAS",03/22/2016,17:11:00,1,"sam.mattern","SPECTRUMREPORTI\sam.mattern",,"L2TP",,,,"127.0.0.1",0,0,"192.168.10.1","Untangle",,,,,1,2,4,"VPN",0,"311 1 192.168.10.100 03/22/2016 21:10:27 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Virtual Private Network (VPN) Connections",1,,,,
    "DC01","IAS",03/22/2016,17:11:00,2,,"SPECTRUMREPORTI\sam.mattern",,,,,,,,0,"192.168.10.1","Untangle",,,,,1,2,4,"VPN",0,"311 1 192.168.10.100 03/22/2016 21:10:27 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"RSPECTRUMREPORTI",,,"Virtual Private Network (VPN) Connections",1,,,,

    Not sure if any of that helps.

  7. #17
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    35

    Default

    1) You still have not indicated what version of Untangle you are using.
    1) You still have not indicated what version of Untangle you are using.
    1) You still have not indicated what version of Untangle you are using.
    1) You still have not indicated what version of Untangle you are using.
    1) You still have not indicated what version of Untangle you are using.

    1) You still have not indicated what version of Untangle you are using.

    2) For your most recent test, is that after adding the Client Friendly Name condition mentioned in previous note?

    3) You may want to double check your shared secrets. Note that there are actually two different shared secrets to deal with here.

    The first one is configured on the Untangle Directory Connector / Radius tab. It is used for the connection between Untangle and the RADIUS server. It must match the shared secret configured in the RADIUS Client object on the NPS Server.

    The second one is configured in the Untangle "IPSec VPN / VPN Config" tab using the IPsec Secret field. This one is used for the connection between the L2TP client and the Untangle server. It must match the preshared key in the Security / Advanced Settings page of the L2TP config on the Windows client.

    I'm guessing you're fine on the secrets tho. Since the test works in the Untangle UI, that indicates your Untangle <--> RADIUS secret is good. And since the Windows client connects using local directory, that suggests the Untangle <--> L2TP Client secret is fine also.

  8. #18
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,050

    Default

    mahotz,

    Here is my setup:
    Untangle 11.2.1 (Build: 11.2.1~svn20160120r42169release11.2-1wheezy)

    IPsec-Config.PNG
    NPS-Config.PNG
    NPS-Config2.PNG
    IPsec-Win10-Config.PNG
    Win10IPSEC-error.PNG

    Our NPS server shows that the response was Good from the NPS server:
    Code:
    Log Name:      SecuritySource:        Microsoft-Windows-Security-Auditing
    Date:          2016-03-23 08:34:36
    Event ID:      6278
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      RADIUS.DOMAIN.local
    Description:
    Network Policy Server granted full access to a user because the host met the defined health policy.
    
    
    User:
        Security ID:            DOMAIN\svrbjgu
        Account Name:            svrbjgu
        Account Domain:            DOMAIN
        Fully Qualified Account Name:    DOMAIN.local/X/X/Gustavsson Björn
    
    
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        -
        Calling Station Identifier:        L2TP
    
    
    NAS:
        NAS IPv4 Address:        127.0.0.1
        NAS IPv6 Address:        -
        NAS Identifier:            -
        NAS Port-Type:            -
        NAS Port:            0
    
    
    RADIUS Client:
        Client Friendly Name:        Untangle-UT1
        Client IP Address:            X.X.X.3
    
    
    Authentication Details:
        Connection Request Policy Name:    IPSEC
        Network Policy Name:        VPN
        Authentication Provider:        Windows
        Authentication Server:        DHCP-01.DOMAIN.local
        Authentication Type:        MS-CHAPv2
        EAP Type:            -
        Account Session Identifier:        -
    
    
    Quarantine Information:
        Result:                Full Access
        Extended-Result:            -
        Session Identifier:            -
        Help URL:            -
        System Health Validator Result(s):    -
    
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6278</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2016-03-23T07:34:36.271909100Z" />
        <EventRecordID>2892045</EventRecordID>
        <Correlation />
        <Execution ProcessID="508" ThreadID="608" />
        <Channel>Security</Channel>
        <Computer>DHCP-01.DOMAIN.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-XXXX</Data>
        <Data Name="SubjectUserName">svrbjgu</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="FullyQualifiedSubjectUserName">DOMAIN.local/X/X/Gustavsson Björn</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">-</Data>
        <Data Name="CallingStationID">L2TP</Data>
        <Data Name="NASIPv4Address">127.0.0.1</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">-</Data>
        <Data Name="NASPortType">-</Data>
        <Data Name="NASPort">0</Data>
        <Data Name="ClientName">Untangle-UT1</Data>
        <Data Name="ClientIPAddress">X.X.X.3</Data>
        <Data Name="ProxyPolicyName">IPSEC</Data>
        <Data Name="NetworkPolicyName">VPN</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">RADIUS.DOMAIN.local</Data>
        <Data Name="AuthenticationType">MS-CHAPv2</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="QuarantineState">Full Access</Data>
        <Data Name="ExtendedQuarantineState">-</Data>
        <Data Name="QuarantineSessionID">-</Data>
        <Data Name="QuarantineHelpURL">-</Data>
        <Data Name="QuarantineSystemHealthResult">-</Data>
      </EventData>
    </Event>
    IPSec log:
    Code:
    Mar 23 08:34:36 ut charon: 14[IKE] deleting IKE_SA VPN-L2TP-0[276] between X.X.X.180[X.X.X.180]...94.234.170.171[192.168.43.107]Mar 23 08:34:36 ut charon: 14[IKE] deleting IKE_SA VPN-L2TP-0[276] between X.X.X.180[X.X.X.180]...94.234.170.171[192.168.43.107]
    Mar 23 08:34:36 ut charon: 14[IKE] received DELETE for IKE_SA VPN-L2TP-0[276]
    Mar 23 08:34:36 ut charon: 14[ENC] parsed INFORMATIONAL_V1 request 3716118550 [ HASH D ]
    Mar 23 08:34:36 ut charon: 14[NET] received packet: from 94.234.170.171[61940] to X.X.X.180[4500] (92 bytes)
    Mar 23 08:34:36 ut charon: 01[IKE] closing CHILD_SA VPN-L2TP-0{14} with SPIs c85be40d_i (823 bytes) 817dc4d0_o (511 bytes) and TS X.X.X.180/32[udp/l2f] === 94.234.170.171/32[udp/l2f] 
    Mar 23 08:34:36 ut charon: 01[IKE] closing CHILD_SA VPN-L2TP-0{14} with SPIs c85be40d_i (823 bytes) 817dc4d0_o (511 bytes) and TS X.X.X.180/32[udp/l2f] === 94.234.170.171/32[udp/l2f] 
    Mar 23 08:34:36 ut charon: 01[IKE] received DELETE for ESP CHILD_SA with SPI 817dc4d0
    Mar 23 08:34:36 ut charon: 01[ENC] parsed INFORMATIONAL_V1 request 3204623256 [ HASH D ]
    Mar 23 08:34:36 ut charon: 01[NET] received packet: from 94.234.170.171[61940] to X.X.X.180[4500] (76 bytes)
    Mar 23 08:34:36 ut charon: 07[KNL] interface ppp0 deleted
    Mar 23 08:34:33 ut charon: 02[IKE] CHILD_SA VPN-L2TP-0{14} established with SPIs c85be40d_i 817dc4d0_o and TS X.X.X.180/32[udp/l2f] === 94.234.170.171/32[udp/l2f] 
    Mar 23 08:34:33 ut charon: 02[IKE] CHILD_SA VPN-L2TP-0{14} established with SPIs c85be40d_i 817dc4d0_o and TS X.X.X.180/32[udp/l2f] === 94.234.170.171/32[udp/l2f] 
    Mar 23 08:34:33 ut charon: 02[ENC] parsed QUICK_MODE request 1 [ HASH ]
    Mar 23 08:34:33 ut charon: 02[NET] received packet: from 94.234.170.171[61940] to X.X.X.180[4500] (60 bytes)
    Mar 23 08:34:33 ut charon: 11[NET] sending packet: from X.X.X.180[4500] to 94.234.170.171[61940] (204 bytes)
    Mar 23 08:34:33 ut charon: 11[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Mar 23 08:34:33 ut charon: 11[IKE] received 250000000 lifebytes, configured 0
    Mar 23 08:34:33 ut charon: 11[IKE] received 3600s lifetime, configured 0s
    Mar 23 08:34:33 ut charon: 11[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
    Mar 23 08:34:33 ut charon: 11[NET] received packet: from 94.234.170.171[61940] to X.X.X.180[4500] (444 bytes)
    Mar 23 08:34:33 ut charon: 10[NET] sending packet: from X.X.X.180[4500] to 94.234.170.171[61940] (76 bytes)
    Mar 23 08:34:33 ut charon: 10[ENC] generating ID_PROT response 0 [ ID HASH ]
    Mar 23 08:34:33 ut charon: 10[IKE] DPD not supported by peer, disabled
    Mar 23 08:34:33 ut charon: 10[IKE] IKE_SA VPN-L2TP-0[276] established between X.X.X.180[X.X.X.180]...94.234.170.171[192.168.43.107]
    Mar 23 08:34:33 ut charon: 10[IKE] IKE_SA VPN-L2TP-0[276] established between X.X.X.180[X.X.X.180]...94.234.170.171[192.168.43.107]
    Mar 23 08:34:33 ut charon: 10[CFG] selected peer config "VPN-L2TP-0"
    Mar 23 08:34:33 ut charon: 10[CFG] looking for pre-shared key peer configs matching X.X.X.180...94.234.170.171[192.168.43.107]
    Mar 23 08:34:33 ut charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Mar 23 08:34:33 ut charon: 10[NET] received packet: from 94.234.170.171[61940] to X.X.X.180[4500] (76 bytes)
    Mar 23 08:34:33 ut charon: 09[NET] sending packet: from X.X.X.180[500] to 94.234.170.171[56072] (212 bytes)
    Mar 23 08:34:33 ut charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Mar 23 08:34:33 ut charon: 09[IKE] remote host is behind NAT
    Mar 23 08:34:33 ut charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Mar 23 08:34:33 ut charon: 09[NET] received packet: from 94.234.170.171[56072] to X.X.X.180[500] (228 bytes)
    Mar 23 08:34:33 ut charon: 06[NET] sending packet: from X.X.X.180[500] to 94.234.170.171[56072] (136 bytes)
    Mar 23 08:34:33 ut charon: 06[ENC] generating ID_PROT response 0 [ SA V V V ]
    Mar 23 08:34:33 ut charon: 06[IKE] 94.234.170.171 is initiating a Main Mode IKE_SA
    Mar 23 08:34:33 ut charon: 06[IKE] 94.234.170.171 is initiating a Main Mode IKE_SA
    Mar 23 08:34:33 ut charon: 06[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    Mar 23 08:34:33 ut charon: 06[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Mar 23 08:34:33 ut charon: 06[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Mar 23 08:34:33 ut charon: 06[IKE] received FRAGMENTATION vendor ID
    Mar 23 08:34:33 ut charon: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID

    So looks like we have the same issue.

    Xauth works
    Switching to Local Catalog works

  9. #19
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    Thanks for testing WebFooL. My settings are identical to yours.

    1) Build: 12.0.0~svn20160315r42669release12.0-1jessie
    Kernel: 3.16.0-4-untangle-686-pae

    2) I did add the client friendly name as the connection authorization condition. Before I just had it set to day/time being any day/time.

    3) I've actually changed the shared secrets a few times because I generated the shared secret from within NPS. There is an option to generate. I decided to type in a long string instead, and then put that in UT, but it made no difference.

    In UT > Directory Connector > RADIUS Connector, Shared Secret is the same Shared Secret in NPS > RADIUS Clients.

    In UT > IPsec VPN > VPN Config > IPsec Secret is same as shared secret used on client when configuring L2TP/IPSec preshared key.

    Like I mentioned before, I am having zero issues with local directory. The issue is the authentication against Active Directory.

  10. #20
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    35

    Default

    I might be onto something. When using certain characters in the Untangle / Windows RADIUS shared secret, the UI test will pass but client login will fail with the message you've been seeing. We know the UI and daemons use different libraries, so this isn't entirely unexpected, but it is annoying when dealing with these kinds of issues.

    Anyhow... if I use this, the client fails:
    ABCDEFGHIJKLMNOPQRSTUVWXYZ`1234567890-=~!@#$%^&*()_+

    If I use this, the client connects:
    ABCDEFGHIJKLMNOPQRSTUVWXYZ

    We use libfreeradius-client2 to do RADIUS for L2TP, and documentation is hard to come by. The shared secrets are stored in:

    /etc/radiusclient/servers

    Here is the example from the FreeRADIUS web site:

    #Server Name or Client/Server pair Key
    #---------------- ---------------
    #portmaster.elemental.net hardlyasecret
    #portmaster2.elemental.net donttellanyone
    myradius.mydomain.com same-secret-in-freeradius-client.conf

    No quotes. No examples of escaped chars. Nothing. Just a bunch of simple all alpha strings.

    I suspect if you tweak your shared secrets to be upper/lower/numeric, everything will start working.

    I'm going to try to narrow down what characters it doesn't like, but it'll take some time. The command line tools used to call the same library used by the L2TP plugin are broken, so I have to re-config both sides and try each one with the client/server setup.

    I did try ABCDEFGHIJKLMNOPQRSTUVWXYZ` (trailing single quote) and it failed, so single quotes make it unhappy. I'm sure there are more.
    Last edited by mahotz; 03-23-2016 at 04:20 PM. Reason: formatting

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2