Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 3 answers
  • Subscribers 36 subscribers
  • Views 62881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PPTP/L2TP radius Authentication failing

DerekW

Hello,

I am having an issue where VPN authentication is failing for all users when using radius as the authentication method. Local user authentication is working as long as the user in the user directory has not been created from Active Directory.

The radius server is granting access to the user authentication request, but the XG logs are denying the connection. This occurs for MS_CHAPv2 or PAP authentication requests.

I have tried with both console commands set vpn l2tp authentication MS_CHAPv2 and set vpn l2tp authentication ANY

    

Any suggestions are much appreciated.

Thankyou,
Derek



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    Good day Luk,

    The Radius server is the only authentication source listed in VPN (IPsec/L2TP/PPTP) Authentication Methods.

    I have also attempted PPTP vpn authentication after entering console command set vpn pptp authentication MS-CHAPv2 encryption STRONG and it also fails in the XG logs but succeeds in the Windows radius logs. The windows configuration is PPTP Optional Encryption MS-CHAP v2 protocol.

    As for your L2TP certificates comment, that is a naming error as the connection was originally created for certificate use, but is currently setup to use Preshared Keys. I will recreate this configuration anyways...

  • 0 in reply to DerekW

    Further to my last message, I have confirmed that the problem is not Sophos XG version specific as a brand new XG 125 with FirmWare SFOS 15.01.0 is affected.

    I can further confirm through wireshark logging that the Radius authentication is definitely succeeding on the server and responding with an Access-Accept message, however, the firewall always logs an Authentication Failed line.

    MS-CHAPv2 : Authentication Failed for User 
    17986

    The radius users aren't in the sophos users directory, this doesn't affect the result of the login request does it?

  • 0

    I have the excact same problem on XG310 SFOS16beta4.
    Did you ever find a solution to this?

    SSL VPN is working fine, and authenticating users against our AD.
    L2TP is working fine from Windows 7 built in VPN client with a local user on the XG.

    L2TP fails with the same client when trying to use the same AD user, that is working fine with SSL VPN.
    L2TP fails also if switching to Radius authentication. Even when the user tests OK in Radius server test.

    PAP, CHAP and CHAPv2 allways fails auth. (I have tried set vpn l2tp authentication ANY)

    Error is always excactly the same (Replace MS-CHAPv2 with CHAP / PAP respectively).
    System log: L2TP failed MS-CHAPv2: Authentication Failed for User xxx
    Authentication log: User xxx failed to login to L2TP through Local,AD,RADIUS authentication mechanism because of wrong credentials

    This happens with any combination of ways to input AD user (username, DOMAIN\username and username@DOMAIN - even though this last one is allready recognized on the XG box from logging on by Userportal and SSL VPN. (And YES, the user and AD group is of course added to L2TP list

  • 0 in reply to DerekW

    HI Derek ,

    We have checked from our end and found that the issue is resolved with the SFOS version 16.01 Beta 2, Please wait till the Next release and test with the MS-CHAP.

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Aditya

    Please read carefully what i just wrote above... I am running on 16.01 Beta4 - and am unable to get AD or Radius authentication working too!

    - Martin

  • 0 in reply to MartinDamgaard

    HI Martin , 

    I request you to raise the service request for the same issue and also message me the Service request number for the same . We shall check from our end.  

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to MartinDamgaard

    Did you ever get this resolved? I've been working with support with the same issue for 2 weeks and they have been of no help...

  • 0 in reply to ChristopherButler

    No, unfortunately not. This was just one of many features that were  unusable because of small bugs like this.
    And i too could never get any real support on any of my issues - it seems to me that Sophos staff simply did/does not know the platform, and have absolutely no experience on it.
    (At least when we speak of more advanced features - as in everthing that is not part of the standard firewall functionality).

    It allways ended with a reply to wait for the next firmware update. Sometimes this fixed an issue - mostly not. Often it just gave new bugs in other parts of the system.

    In the end, we finally trashed the XG platform. Sophos were fair on us, and converted all our licenses to SG / UTM 9.4 licenses, at no cost - and even gave us 6 months extra licensensing, to compensate for the time we had wasted on the XG platform.

    So far i have had none of these strange little bugs on the SG platform. Everything just works as expected - including L2TP Radius authentication.

    Support is also much, much better (though still a bit hard to get by first line of defence / 1st level support, at times).
    Now i allways get a clean answer to my questions - and it actually feels like the persons i communicate with have a good understanding of their systems.
    And mostly, i no longer have to painfully explain to them what X feature should do, and that Y probably fails because of a bug in Z on the box THEY have sold to me!

    I think XG feature set is looking good - but i personally dont think it will be ready for serious SMB / Enterprise use for at least some years...

     

    - Martin 

  • 0 in reply to MartinDamgaard
    Hi Martin,
     
    I'm just having the same problems as you.
     
    Reselling does not solve any of the problems because they simply do not have the technical knowledge of the XG platform. And when they launch Sophos support, they can not solve it either.
     
    I updated to the last version (16.05.0) and the problems only got worse.
     
    I also received the suggestion of the reseller to downgrade to the UTM.
     
    I believe in XG, the community forum is very good, the news about version 17 promises, but still I believe it is not a mature product yet.
     
    Anyway, let's go to UTM and wait when XG is really "done".