Page 1 of 3 123 LastLast
Results 1 to 10 of 26
  1. #1
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default IPsec VPN not connecting via RADIUS

    I am testing the IPsec VPN. It's working great with users set up in Local Directory. So I configured RADIUS on Windows Server 2012 and installed the trial of Directory Connector. I configure it, and when I try the RADIUS test with a known username and password, it returns "RADIUS authentication successful!" When I put in a bad password, it returns "RADIUS authentication failure." So the RADIUS Connector seems to be working just fine.

    However, when I switch the IPsec VPN User Authentication to RADIUS from Local Directory, it does not work. When I attempt to connect from Windows VPN, I get:

    Verifying user name and password...
    Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

    I've tried including the domain info, excluding domain info, checked the Network Policy settings, but can't seem to get anywhere. I'm using MS-CHAP v2 for Authentication Method. Like I said, the RADIUS Test works. Any help would be greatly appreciated!

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    The radius test itself (in the UI) uses a different RADIUS connector than the IPsec daemon.
    So a successful test there doesn't mean the IPsec daemon itself can successfully authenticate users. (I know it sucks, we've run into this before).

    Maybe WebFool will chime in, I think he had a similar issue but I'm not sure if he ever sorted it out.

    Is a windows based RADIUS server?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,813

    Default

    Previous thread on using Microsoft RADIUS. I recommend using FreeRADIUS instead or switch MS RADIUS to PAP authentication.

    https://forums.untangle.com/ipsec-vp...-problems.html
    Last edited by jcoffin; 03-08-2016 at 04:58 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    36

    Default

    I think the issue WebFool had was related to using Xauth. If you're using L2TP/IPsec and Windows as a VPN client, it should work. I can't think of anything to have you look at other than to double check the username and password in the client. Also, if you're using the "Automatically use my Windows logon..." option under MS-CHAP v2 on the client, you may try disabling that and manually entering the username and password when connecting.

  5. #5
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    I had read WebFool's post and it didn't seem relevant to my situation. I am not using Xauth, just L2TP/IPsec via NPS and the windows client.

    With the Windows client, I tried "Automatically use my Windows logon..." as well as the manual option, with and without the domain box. I tried domain\username in username field, username@domain in username field, and username only; plus I also added the domain box and tried with and without the domain.

    It's weird. I was hopeful that I could find something in the Event Log, but I'm not finding anything. Maybe I'm looking in the wrong place. I'm not very familiar with NPS.

    Some additional info from NPS:
    Network connection method > Type of network access server: I have set to "Unspecified." Nothing else looked appropriate.
    Conditions > I created a group called VPN and added my VPN users to it.
    Authentication Methods > Less secure authentication methods: only MS-CHAP-v2 checked.

    Thanks.

  6. #6
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    36

    Default

    Hrmm... I'm stumped too. You mentioned testing with good/bad credentials via the UI RADIUS Connector tab gives the success/fail results you would expect, so that kind suggests that the Windows server config is sane.

    I'm working with a Windows 2008 server here, but we've had other clients use 2012 and MS-CHAP v2 with no problems, so I wouldn't suspect that, although someone mentioned in passing that there are differences. I'm going to see if I can get a W2K12 server setup here for testing. Will update with my results when I know more.

    Also, what version of Windows is the client workstation running? I might as well match the setup exactly as I dive into this.

  7. #7
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    mahotz, I appreciate your willingness to try to replicate the issue. My test client is Windows 7. I tried a few more things and got different results.

    I initially had the client Security > Authentication set for "Allow these protocols" with "Microsoft CHAP Version 2" selected (got 691 error). I decided to switch the Authentication instead to "Use Extensible Authentication Protocol (EAP) and set the drop down to "Microsoft: Secured password (EAP-MSCHAP v2)(encryption enabled)." This gave me an error 628, "The connection was terminated by the remote computer before it could be completed."

  8. #8
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,279

    Default

    Tip from me is to download NTRadPing from Novell.
    https://www.novell.com/coolsolutions/tools/14377.html

    And add you client as a Radius client and trubelshoot with it.

    Our problem is with NPS and IPSEC and that NPS dose not "correctly" use conditions.

  9. #9
    Untangler
    Join Date
    Feb 2009
    Posts
    47

    Default

    Quote Originally Posted by WebFooL View Post
    Tip from me is to download NTRadPing from Novell.
    https://www.novell.com/coolsolutions/tools/14377.html

    And add you client as a Radius client and trubelshoot with it.

    Our problem is with NPS and IPSEC and that NPS dose not "correctly" use conditions.
    Thanks for this. I pulled it down and can't figure out the parameters. When I try to point it at the UT box with the secret key and my login info, I just get "no response from server." I also tried forwarding ports to hit the radius server directly but got the same results.

  10. #10
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,279

    Default

    Point it to your radius server.
    It acts as a radius client.

    It will give you a better look on what the radius server gives for response.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2