Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 33 subscribers
  • Views 115768 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with AD Authentication and PPTP VPN Access

Tim007

I am having issues setting up VPN access authenticated through Active Directory.  I have my active directory servers added to the list of authentication servers, and I confirmed that I am now able to log in to the user portal using my AD credentials.

In Authentication Services, I have the Active Directory servers selected as authentication servers for VPN, and they are listed higher than "Local."  I also confirmed that for my AD user, L2TP and PPTP are both checked (I am trying to use PPTP).

I also created a Local user for testing, and configured all of the settings to mirror what I set for my AD user (user name and password are both different, however).

I am able to connect to the VPN without issue using the Local user, but not using the AD user.  In the Sophos log viewer, for my AD attempts, it just tells me that the VPN Authentication FAILED, and Auth Mechanism shows all three approved methods (AD, AD, Local).  For the local user, I see SUCCESSFUL entries for VPN Authentication with the Auth Mechanism listing "Local," and then there are some followup entries for Firewall Authentication.

Any thoughts on why the AD authentication is failing for the VPN connection, but not for the portal?



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    Hi Luk,

    As mentioned if you wish to authenticate directly against Active Directory you need to downgrade your authentication mechanism.

    Execute the following command to set authentication method for L2TP users:

    console> set vpn l2tp authentication ANY

                                                          OR

    Execute the following command to set authentication method for PPTP users:

    console> set vpn pptp authentication ANY

    If you require strong authentication you will need to move to using a RADIUS server to connect to Active Directory, you can use NPS.

  • 0 in reply to Leon.Friend

    Hi Leon,

    sorry if I enter on this thread but, without rewriting all, I'm in the exact same situation and, also with your console command fix, the authentication don't works.

    So this is the check list:

    1- PPTP and L2TP enabled and the address range is correctly configured (VPN->L2TP settings or VPN->PPTP)

    2- In L2TP connections there is the L2TP configuration correctly configured (with preshared key method)

    3- The specific domain user has the right to access both VPN type in the user configuration (Authentication-> Users)

    4- This user is also a member of PPTP and L2TP (in the VPN->PPTP->Add Memeber)

    5- VPN has the three AD Server as the primary authentication method, and last local authentication

    6- The firewall rule is correct dedicated to the configured user and the FROM is VPN Zone

    7- VPN zone has NTLM enabled (Administration -> Device Access)

    8- set vpn pptp authentication ANY and set vpn l2tp authentication ANY command entered in console

     

    I'm trying with an android devices (android 6.0) using both user/password or user@domain/password or domain\user / password

    So, with all this done, I continuosly get error on authentication on the firewall logs.

    With a local user, with local authentication, all works fine.

    This domain user can correctly log on user portal using user/password (without the domain) so AD Authentication is working.

    Have I lost something in the configuration?

  • 0 in reply to SicorS.p.A.

    Just 2 more tests:

    IPSEC not working also

    SSL VPN works like charm with OpenVPN and AD Authentication

  • 0 in reply to SicorS.p.A.

    Good!

    You are in the same situation as mine. [:'(]

  • 0 in reply to SicorS.p.A.

    Hi,

    In order to authenticate IPSEC type connections against AD your will need to implement RADIUS Authentication for these VPN connections.

    The command line with ANY will allow on appliance authentication, as it removes encryption from the authentication mechanism. This is not supported by IPSEC, L2TP or PPTP connections, hence the need for RADIUS.

  • 0 in reply to Leon.Friend

    Leon thank you for your answer. I will open a feature request.

    On XG I already have the AD users and I need to use even Radius Server for L2TP? Nooooo

    Thanks.

  • 0 in reply to lferrara

    I found this on a feature request which was replied in 2010:

    "This one is technically not possible because we do not get the plain text password for those two protocols:

    PPP MS-CHAPv2 hashes the password in combination with a challenge and sends that 
    back to the authentication service. RADIUS supports chap authentication which is why it’s supported. If you need to go against a AD then you could set up a RADIUSon the Domain Controller as well that has AD as a backend? This would work. We’ll decline this one as a result. Thanks for submitting it!"


    Declined by Angelo Comazzetto on the UTM Feature request. It probably applies directly here as well.

    Sauce: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/458093-authenticate-pptp-l2tp-against-active-directory

    Emile

  • 0

    Hi Tim007,

    there is known limitation with AD authentication with CHAP & MS-CHAP can you set "set vpn pptp authentication PAP" from CLI and match the same at remote end and check ? if it is working or not ?

  • 0 in reply to Leon.Friend

    Just replying to say that PAP indeed works.

  • 0

    We have faced the same problem with several clients that we have reported to you, however, we did it in the lab with our team and identified that the problem is not authentication with AD or any other server, but rather the authentication method.

    The tests to observe the authentication process can be checked through the Sophos console with the command:

    #console> show vpn PPTP-logs

    *For those who have worked with Cyberoam, they will have an easier time identifying these problems

    During the tests we have identified that the encryption used for Handshake is CHAP MD5, and this seems not to be supported in this type of authentication between VPN >> Sophos >> Active Directory.

    To solve this, the only method that we could operate this type of authentication with this scope of VPN was using the method of authentication PAP that can be used configured through the console with the command below:

    #console> set vpn pptp authentication PAP

    *This method though is a weak encryption level, was the only one that worked and really is not the safest being about microsoft environment.
    I understand that the use of SSL VPN technologies are safer and more responsive to user needs, thus maintaining their integrity in the operation of using VPN.