IPsec VPN not connecting via RADIUS

[sammattern]

I am testing the IPsec VPN. It's working great with users set up in Local Directory. So I configured RADIUS on Windows Server 2012 and installed the trial of Directory Connector. I configure it, and when I try the RADIUS test with a known username and password, it returns "RADIUS authentication successful!" When I put in a bad password, it returns "RADIUS authentication failure." So the RADIUS Connector seems to be working just fine.

However, when I switch the IPsec VPN User Authentication to RADIUS from Local Directory, it does not work. When I attempt to connect from Windows VPN, I get:

Verifying user name and password...
Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

I've tried including the domain info, excluding domain info, checked the Network Policy settings, but can't seem to get anywhere. I'm using MS-CHAP v2 for Authentication Method. Like I said, the RADIUS Test works. Any help would be greatly appreciated!

[dmorris]

The radius test itself (in the UI) uses a different RADIUS connector than the IPsec daemon.
So a successful test there doesn't mean the IPsec daemon itself can successfully authenticate users. (I know it sucks, we've run into this before).

Maybe WebFool will chime in, I think he had a similar issue but I'm not sure if he ever sorted it out.

Is a windows based RADIUS server?

[jcoffin]

Previous thread on using Microsoft RADIUS. I recommend using FreeRADIUS instead or switch MS RADIUS to PAP authentication.

https://forums.untangle.com/ipsec-vp...-problems.html

[mahotz]

I think the issue WebFool had was related to using Xauth. If you're using L2TP/IPsec and Windows as a VPN client, it should work. I can't think of anything to have you look at other than to double check the username and password in the client. Also, if you're using the "Automatically use my Windows logon..." option under MS-CHAP v2 on the client, you may try disabling that and manually entering the username and password when connecting.

[sammattern]

I had read WebFool's post and it didn't seem relevant to my situation. I am not using Xauth, just L2TP/IPsec via NPS and the windows client.

With the Windows client, I tried "Automatically use my Windows logon..." as well as the manual option, with and without the domain box. I tried domain\username in username field, username@domain in username field, and username only; plus I also added the domain box and tried with and without the domain.

It's weird. I was hopeful that I could find something in the Event Log, but I'm not finding anything. Maybe I'm looking in the wrong place. I'm not very familiar with NPS.

Some additional info from NPS:
Network connection method > Type of network access server: I have set to "Unspecified." Nothing else looked appropriate.
Conditions > I created a group called VPN and added my VPN users to it.
Authentication Methods > Less secure authentication methods: only MS-CHAP-v2 checked.

Thanks.

[mahotz]

Hrmm... I'm stumped too. You mentioned testing with good/bad credentials via the UI RADIUS Connector tab gives the success/fail results you would expect, so that kind suggests that the Windows server config is sane.

I'm working with a Windows 2008 server here, but we've had other clients use 2012 and MS-CHAP v2 with no problems, so I wouldn't suspect that, although someone mentioned in passing that there are differences. I'm going to see if I can get a W2K12 server setup here for testing. Will update with my results when I know more.

Also, what version of Windows is the client workstation running? I might as well match the setup exactly as I dive into this.

[sammattern]

mahotz, I appreciate your willingness to try to replicate the issue. My test client is Windows 7. I tried a few more things and got different results.

I initially had the client Security > Authentication set for "Allow these protocols" with "Microsoft CHAP Version 2" selected (got 691 error). I decided to switch the Authentication instead to "Use Extensible Authentication Protocol (EAP) and set the drop down to "Microsoft: Secured password (EAP-MSCHAP v2)(encryption enabled)." This gave me an error 628, "The connection was terminated by the remote computer before it could be completed."

[WebFooL]

Tip from me is to download NTRadPing from Novell.
https://www.novell.com/coolsolutions/tools/14377.html

And add you client as a Radius client and trubelshoot with it.

Our problem is with NPS and IPSEC and that NPS dose not "correctly" use conditions.

[sammattern]

Tip from me is to download NTRadPing from Novell.
https://www.novell.com/coolsolutions/tools/14377.html

And add you client as a Radius client and trubelshoot with it.

Our problem is with NPS and IPSEC and that NPS dose not "correctly" use conditions.

Thanks for this. I pulled it down and can't figure out the parameters. When I try to point it at the UT box with the secret key and my login info, I just get "no response from server." I also tried forwarding ports to hit the radius server directly but got the same results.

[WebFooL]

Point it to your radius server.
It acts as a radius client.

It will give you a better look on what the radius server gives for response.