Problems with AD Authentication and PPTP VPN Access

Question

I am having issues setting up VPN access authenticated through Active Directory. I have my active directory servers added to the list of authentication servers, and I confirmed that I am now able to log in to the user portal using my AD credentials. 
 In Authentication Services, I have the Active Directory servers selected as authentication servers for VPN, and they are listed higher than "Local." I also confirmed that for my AD user, L2TP and PPTP are both checked (I am trying to use PPTP). 
 I also created a Local user for testing, and configured all of the settings to mirror what I set for my AD user (user name and password are both different, however). 
 I am able to connect to the VPN without issue using the Local user, but not using the AD user. In the Sophos log viewer, for my AD attempts, it just tells me that the VPN Authentication FAILED, and Auth Mechanism shows all three approved methods (AD, AD, Local). For the local user, I see SUCCESSFUL entries for VPN Authentication with the Auth Mechanism listing "Local," and then there are some followup entries for Firewall Authentication. 
 Any thoughts on why the AD authentication is failing for the VPN connection, but not for the portal?

Leon.Friend · Answer

I suspect you issue here is a miss match in the authentication method, the default authentication method for L2TP and PPTP is MS CHAP v2 which will require authentication via a RADIUS server (such as NPS). In order to directly authenticate against Active Directory Services directly you will need to modify the authentication method, this can be performed at the console.

Execute the following command to set authentication method for L2TP users:

console> set vpn l2tp authentication <ANY/CHAP/MS_CHAPv2/PAP>

OR

Execute the following command to set authentication method for PPTP users:

console> set vpn pptp authentication <ANY/CHAP/MS_CHAPv2/PAP>

You can try either PAP or ANY. However from a security perspective I would strongly recommend you implement NPS and use MS CHAP v2

VivekJanjrukiya · Answer

Hi Tim007, 
 there is known limitation with AD authentication with CHAP & MS-CHAP can you set "set vpn pptp authentication PAP" from CLI and match the same at remote end and check ? if it is working or not ?

José Luiz Rodrigues Filho · Answer

We have faced the same problem with several clients that we have reported to you, however, we did it in the lab with our team and identified that the problem is not authentication with AD or any other server, but rather the authentication method. 
 The tests to observe the authentication process can be checked through the Sophos console with the command: 
 #console> show vpn PPTP-logs 
 *For those who have worked with Cyberoam, they will have an easier time identifying these problems 
 During the tests we have identified that the encryption used for Handshake is CHAP MD5, and this seems not to be supported in this type of authentication between VPN >> Sophos >> Active Directory. 
 To solve this, the only method that we could operate this type of authentication with this scope of VPN was using the method of authentication PAP that can be used configured through the console with the command below: 
 #console> set vpn pptp authentication PAP 
 *This method though is a weak encryption level, was the only one that worked and really is not the safest being about microsoft environment. I understand that the use of SSL VPN technologies are safer and more responsive to user needs, thus maintaining their integrity in the operation of using VPN.