Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 33 subscribers
  • Views 115770 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with AD Authentication and PPTP VPN Access

Tim007

I am having issues setting up VPN access authenticated through Active Directory.  I have my active directory servers added to the list of authentication servers, and I confirmed that I am now able to log in to the user portal using my AD credentials.

In Authentication Services, I have the Active Directory servers selected as authentication servers for VPN, and they are listed higher than "Local."  I also confirmed that for my AD user, L2TP and PPTP are both checked (I am trying to use PPTP).

I also created a Local user for testing, and configured all of the settings to mirror what I set for my AD user (user name and password are both different, however).

I am able to connect to the VPN without issue using the Local user, but not using the AD user.  In the Sophos log viewer, for my AD attempts, it just tells me that the VPN Authentication FAILED, and Auth Mechanism shows all three approved methods (AD, AD, Local).  For the local user, I see SUCCESSFUL entries for VPN Authentication with the Auth Mechanism listing "Local," and then there are some followup entries for Firewall Authentication.

Any thoughts on why the AD authentication is failing for the VPN connection, but not for the portal?



This thread was automatically locked due to age.
Parents
  • 0

    Tim007,

    if using SSL works, check the L2TP logs from cli, using this command:

     show vpn L2TP-logs

    Also check that on User properties, L2TP and PPTP is enabled.

  • 0 in reply to lferrara

    Nothing in the L2TP logs (have not tried connecting that way) but there is some data in the PPTP logs.  I don't understand all of what I am looking at.  Here are lines that appear to be related to the failure (I removed account names and IP addresses).

    crauth_chap_verify called
    crauth_pap_auth: REMOTE IP ADDRESS: '[removed]'
    Peer [removed] failed CHAP authentication
    sent [CHAP Failure id=0xa "The system could not log you on. Make sure your password is correct"]
    sent [LCP TermReq id=0x3 "Authentication failed"]
    rcvd [LCP TermAck id=0x3 "Authentication failed"]

  • 0 in reply to Tim007

    I suspect you issue here is a miss match in the authentication method, the default authentication method for L2TP and PPTP is MS CHAP v2 which will require authentication via a RADIUS server (such as NPS). In order to directly authenticate against Active Directory Services directly you will need to modify the authentication method, this can be performed at the console.

    Execute the following command to set authentication method for L2TP users:

    console> set vpn l2tp authentication <ANY/CHAP/MS_CHAPv2/PAP>

                                                          OR

    Execute the following command to set authentication method for PPTP users:

    console> set vpn pptp authentication <ANY/CHAP/MS_CHAPv2/PAP>

    You can try either PAP or ANY. However from a security perspective I would strongly recommend you implement NPS and use MS CHAP v2

  • 0 in reply to Leon.Friend

    Leon and TIm,


    today I found the time to test PPTP and L2TP. PPTP works with local user (does not matter if MSCHAP-v2 and Strong Encryption is enabled), while using AD Users, PPTP ends with "Bad Username or Password). I left enabled MSCHAP-v2 and Strong Encryption.

    L2TP is not working even using local user. In both phase 1 and 2, peer requests to delete the session.

    Using SSL, I can connect to XG using both local and AD users. AD Users have been added to both PPTP and L2TP Member Group and on their account PPTP and L2TP is enabled.

    If you need any log from my XG, let me know.

  • 0 in reply to lferrara

    Hi Luk,

    As mentioned if you wish to authenticate directly against Active Directory you need to downgrade your authentication mechanism.

    Execute the following command to set authentication method for L2TP users:

    console> set vpn l2tp authentication ANY

                                                          OR

    Execute the following command to set authentication method for PPTP users:

    console> set vpn pptp authentication ANY

    If you require strong authentication you will need to move to using a RADIUS server to connect to Active Directory, you can use NPS.

  • 0 in reply to Leon.Friend

    Hi Leon,

    sorry if I enter on this thread but, without rewriting all, I'm in the exact same situation and, also with your console command fix, the authentication don't works.

    So this is the check list:

    1- PPTP and L2TP enabled and the address range is correctly configured (VPN->L2TP settings or VPN->PPTP)

    2- In L2TP connections there is the L2TP configuration correctly configured (with preshared key method)

    3- The specific domain user has the right to access both VPN type in the user configuration (Authentication-> Users)

    4- This user is also a member of PPTP and L2TP (in the VPN->PPTP->Add Memeber)

    5- VPN has the three AD Server as the primary authentication method, and last local authentication

    6- The firewall rule is correct dedicated to the configured user and the FROM is VPN Zone

    7- VPN zone has NTLM enabled (Administration -> Device Access)

    8- set vpn pptp authentication ANY and set vpn l2tp authentication ANY command entered in console

     

    I'm trying with an android devices (android 6.0) using both user/password or user@domain/password or domain\user / password

    So, with all this done, I continuosly get error on authentication on the firewall logs.

    With a local user, with local authentication, all works fine.

    This domain user can correctly log on user portal using user/password (without the domain) so AD Authentication is working.

    Have I lost something in the configuration?

  • 0 in reply to SicorS.p.A.

    Just 2 more tests:

    IPSEC not working also

    SSL VPN works like charm with OpenVPN and AD Authentication

  • 0 in reply to SicorS.p.A.

    Good!

    You are in the same situation as mine. [:'(]

  • 0 in reply to SicorS.p.A.

    Hi,

    In order to authenticate IPSEC type connections against AD your will need to implement RADIUS Authentication for these VPN connections.

    The command line with ANY will allow on appliance authentication, as it removes encryption from the authentication mechanism. This is not supported by IPSEC, L2TP or PPTP connections, hence the need for RADIUS.

  • 0 in reply to Leon.Friend

    Leon thank you for your answer. I will open a feature request.

    On XG I already have the AD users and I need to use even Radius Server for L2TP? Nooooo

    Thanks.

  • 0 in reply to lferrara

    I found this on a feature request which was replied in 2010:

    "This one is technically not possible because we do not get the plain text password for those two protocols:

    PPP MS-CHAPv2 hashes the password in combination with a challenge and sends that 
    back to the authentication service. RADIUS supports chap authentication which is why it’s supported. If you need to go against a AD then you could set up a RADIUSon the Domain Controller as well that has AD as a backend? This would work. We’ll decline this one as a result. Thanks for submitting it!"


    Declined by Angelo Comazzetto on the UTM Feature request. It probably applies directly here as well.

    Sauce: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/458093-authenticate-pptp-l2tp-against-active-directory

    Emile

  • 0 in reply to Leon.Friend

    Just replying to say that PAP indeed works.

Reply Children
No Data