PPTP/L2TP radius Authentication failing

FIXED THIS (it's a heavy handed work-around, but read on).

I'm having the exact same issue. I got through to a great tech and we've narrowed down this issue with a work-around for now. Although this is not a viable long-term solution, it does actually allow for the RADIUS + L2TP connection to be made. I've confirmed both with Mac / macOS 10.12 and PC / Win10.

First, make sure you configure your NPS based on this KB article:
https://kb.cyberoam.com/default.asp?id=2407&SID=&Lang=1&hglt=radius

Turns out the Sophos XG system is using Cyberroam as it's authentication server.

Once this is configured as noted above and you are receiving the "Success" message with your "Test Connection" at: Authentication > Servers > *RADIUS SERVER NAME* ... now for the work-around:

- Under: Authentication > Services > Firewall Authentication Methods > add your RADIUS server > Save
- Navigate to the external User Portal address of your Sophos (without the :4444 or any port).
- Log in with your end user's domain account.
- Log out.
- Log back in to Sophos management as admin.
- Navigate: Authentication > Users > select the newly added user
- Scroll down, ***ENABLE L2TP*** (TA DAAAAA)
- Sophos requires you enter en email address, that's up to you which email you put in > save changes.
- CONNECT!

After we confirmed this works with several accounts I asked for my ticket to be escalated so that this rigmarole isn't necessary and the end-users can log in without these manual changes needing to be made. Hope this helps!

Hi Paul,

Did you ever get a response from Sophos when this will be fixed? The issue still exists in SFOS 16.05.6 MR-6.

Kind regards,

C. Wright

Hi Wright, 

The issue should be resolved now . Please check the logs on the XG on console 

Steps to conduct 

console> set vpn l2tp authentication MS_CHAPv2

Take the output using shell command 

#tcpdump -nn port 1812 or port 1813

#tail -f /log/access_server.log

#tail -f /log/l2tpd.log

Post the output when authentication failed, Run the commands and wait for the output and post them here.

Hello Mr. Patel,

I didn't mean the authentication, I was referring to the workaround that Paul mentioned to get Authentication to work.

I mean this part:

- Under: Authentication > Services > Firewall Authentication Methods > add your RADIUS server > Save
- Navigate to the external User Portal address of your Sophos (without the :4444 or any port).
- Log in with your end user's domain account.
- Log out.
- Log back in to Sophos management as admin.
- Navigate: Authentication > Users > select the newly added user
- Scroll down, ***ENABLE L2TP*** (TA DAAAAA)
- Sophos requires you enter an email address, that's up to you which email you put in > save changes.
- CONNECT!

This workaround is still required to get L2TP to work with Radius credentials. It hasn’t been fixed. An additional odd behavior of the user portal is that user authentication only works if the Radius server allows PAP/SPAP.

The tcpdump command you listed returns the error % Error: Unknown Parameter 'port'.

Kind regards,

C. Wright

Assuming this issue is still not fixed, we are seeing the exact same issue on SFOS 17.0.3 MR-3 using PPTP/L2TP and RADIUS authentication.
The Server shows authentication success using MS-CHAPv2, but the firewall logs "MS-CHAPv2 : Authentication Failed for User"

The Authentication and encryption are set correctly:

/log/pptpvpn.log shows:

Paul's suggestion of setting the PPTP/L2TP enabled on the specific user account in the firewall negates the point of using AD groups to control access.

It's a workaround, yes, but a PITA when administering many users.

Assuming this issue is still not fixed, we are seeing the exact same issue on SFOS 17.0.3 MR-3 using PPTP/L2TP and RADIUS authentication.
The Server shows authentication success using MS-CHAPv2, but the firewall logs "MS-CHAPv2 : Authentication Failed for User"

The Authentication and encryption are set correctly:

/log/pptpvpn.log shows:

Paul's suggestion of setting the PPTP/L2TP enabled on the specific user account in the firewall negates the point of using AD groups to control access.

It's a workaround, yes, but a PITA when administering many users.

Hi Nolan , 

Could you show us the authentication server settings on your XG firewall?

Aditya, Authentication Server settings screencap:

Is this fixed yet? This is my first time around configuring our XG 135 only to find that with the latest firmware there is a capitalisation problem (username) along with my Windows Radius server granting access only to have XG say "access not allowed"

This is just crackers! :-(

I'm replying to my own message as I've now been able to get PPTP working. You still need to use lowercase though... Our firewall is on version SFOS 17.0.8 MR-8.

1. Windows 2008 R2, NPS/Radius server - I had to create a filter rule to get rid of the double-slash ("\\") issues, In the Connection Request Policy, I added a Realm Name attribute (without speech marks) "(.*)\\(.*)" and in the replace-with I used "[domain]\$2"... This allows NPS/Radius to cope with the double-slash.

2. Radius was now recording : "Network Policy Server granted full access to a user because the host met the defined health policy." - but XG was recording "access not allowed".

3. The final bit of the jigsaw... Though XG was using my Radius server, what I didn't appreciate was I still needed to add "Members", of which the "Open Group" has the correct credentials, e.g. PPTP is enabled

Was this a rookie mistake? I have no idea as loads of people have reported problems and I've never read about people adding in Members. I'm just a little confused why PPTP would attempt to authenticate with Radius when this member is not added already? It's really confused me and seems little backward.

For me, at least it's now working.

Are your settings on the VPN side like mine?  If so , you may be hitting the same problem...

https://community.sophos.com/products/xg-firewall/f/authentication/101269/xg---l2tp-radius-authentication-fails-if-automatically-use-my-windows-login-name-and-password-option-is-selected

I was told that this is NOT a bug  - but a feature request!

Hi Shaun - I've replied back on your post - my setup is a little different, but the basics are the same. I'm using PPTP with Radius, but I think what you're seeing is the same I've been dealing with!