Results 1 to 4 of 4
  1. #1
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,304

    Default Strange double-login connecting to IPSec VPN from Windows 10

    Not sure if this is a Windows bug or an Untange/strongswan/debian bug, but I wanted to report it here just in case.

    I'm getting the IPSec VPN service up and running in Untangle. I have it working to use Active Directory credentials via FreeRadius, and in testing I noticed a weird behavior with the authentication. The desired behavior I want to push by default is that users must login manually when they connect, to prevent a stolen laptop from having unchallenged access to our internal network. It should NOT save credentials. I do not set it to save credentials (and if I can find a Group Policy to block end users from doing this, I will enable it).

    What happens right now is I will see a prompt for the credentials. If I put in bad info, it blocks the connection, as it should. However, if I put in good credential info, the prompt is shown to the user a second time. The really weird thing is if I move the prompt to the side, I can see that the connection finishes correctly. At this point, I can click "Cancel" on the prompt, and the VPN will disconnect, or I can enter anything I want for the username... it doesn't have to be valid credential info... and the prompt will now go away and the VPN stays connected.

    I'd like to avoid this 2nd prompt, if I can, but I have no idea what's causing it.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 8GB with Untangle 12.2 to protect 200Mbits for ~400 residential college students and associated staff and faculty

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,304

    Default

    The plot thickens.

    As I'm sitting here testing it, I see the problem only comes up on my personal computer at home that I've been using to test this. If I connected with a domain-joined laptop I brought from the office, I don't see this problem. So it's still weird, but when I make this available to my users, only campus-owned equipment will be allowed, so it's not something they'll see.

    Still curious why it happens, though.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 8GB with Untangle 12.2 to protect 200Mbits for ~400 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,452

    Default

    I'm sad to say you're going to see this a ton. And, a related issue you're going to find...

    Do not, for the love of all that is Holy, use the same usernames on your VPN as you do AD.

    Why?

    Well, that second logon prompt is popping up because Windows is ignoring what you're logging in with the first time and attempting the stuff you used to log into windows with. Then, it'll finally listen and login with stuff that works... and there it goes wrong again because whatever you used to login on the VPN with will be tried against AD resources!

    So unless you like unlocking accounts 24/7, you'd better not have the usernames matching, because watch your security logs on your AD server, they're about to light up.

    All of this is Microsoft's single signon design.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,304

    Default

    I think I'll be okay here. I have it setup so that FreeRadius logins do NOT increment the AD lockout count. At least, I think I do.

    If this doesn't work, would letting users save their known-good credentials fix this problem? So that it's always trying a good username/password combo? Again, that's not my preference, but if it's the difference between things actually working and things being broken, I may have to put up with it.
    Last edited by jcoehoorn; 04-24-2017 at 10:03 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 8GB with Untangle 12.2 to protect 200Mbits for ~400 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2