PPTP/L2TP radius Authentication failing

Question

Hello, 
 
 I am having an issue where VPN authentication is failing for all users when using radius as the authentication method. Local user authentication is working as long as the user in the user directory has not been created from Active Directory. 
 The radius server is granting access to the user authentication request, but the XG logs are denying the connection. This occurs for MS_CHAPv2 or PAP authentication requests. 
 I have tried with both console commands set vpn l2tp authentication MS_CHAPv2 and set vpn l2tp authentication ANY .

Any suggestions are much appreciated. 
 
 Thankyou, Derek

Aditya Patel · Answer

HI Derek , 
 We have checked from our end and found that the issue is resolved with the SFOS version 16.01 Beta 2, Please wait till the Next release and test with the MS-CHAP. 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.

PAUL seiler1 · Answer

FIXED THIS (it's a heavy handed work-around, but read on). 
 I'm having the exact same issue. I got through to a great tech and we've narrowed down this issue with a work-around for now. Although this is not a viable long-term solution, it does actually allow for the RADIUS + L2TP connection to be made. I've confirmed both with Mac / macOS 10.12 and PC / Win10. 
 First, make sure you configure your NPS based on this KB article: https://kb.cyberoam.com/default.asp?id=2407&SID=&Lang=1&hglt=radius 
 Turns out the Sophos XG system is using Cyberroam as it's authentication server. 
 Once this is configured as noted above and you are receiving the "Success" message with your "Test Connection" at: Authentication > Servers > *RADIUS SERVER NAME* ... now for the work-around: 
 - Under: Authentication > Services > Firewall Authentication Methods > add your RADIUS server > Save - Navigate to the external User Portal address of your Sophos (without the :4444 or any port). - Log in with your end user's domain account. - Log out. - Log back in to Sophos management as admin. - Navigate: Authentication > Users > select the newly added user - Scroll down, ***ENABLE L2TP*** (TA DAAAAA) - Sophos requires you enter en email address, that's up to you which email you put in > save changes. - CONNECT! 
 After we confirmed this works with several accounts I asked for my ticket to be escalated so that this rigmarole isn't necessary and the end-users can log in without these manual changes needing to be made. Hope this helps!

Aditya Patel · Answer

Hi Wright, 
 The issue should be resolved now . Please check the logs on the XG on console 
 Steps to conduct 
 console> set vpn l2tp authentication MS_CHAPv2 Take the output using shell command #tcpdump -nn port 1812 or port 1813 
 #tail -f /log/access_server.log 
 #tail -f /log/l2tpd.log 
 Post the output when authentication failed, Run the commands and wait for the output and post them here.