Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12748 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

l2tp over ipsec + radius auth NPS windows 2012

nfi

Hi all,

I'm trying to setup l2tp over ipsec between a windows 7 client and an astaro vm (for lab) running ASG 9.6 firmware.

Each configuration ends up with a message on NPS like the one below :

- the user attempted to use an authentication method that is not enabled on the matching network policy.

 

The network policy works fine when I test using the authentication server test button.

 

I tried several parameters on the l2tp over ipsec config on the windows host, but couldn't find any working one.

 

Could anyone send me screenshots of the NPS config and l2tp config so I can compare ?

 

thanks.



This thread was automatically locked due to age.
  • 0

    software version is 9.5 and not 9.6 as mentionned above.

  • 0 in reply to nfi

    Hi nfi,

     

    what do the logs say on the NPS server?

    these will point you in the right direction.

    post some pics of your current config for the nps and L2TP config

     

    Jason

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    NPS Logs :

    ---------------------------------------------------------------

    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
        Security ID:            DEMO\user1
        Account Name:            user1
        Account Domain:            DEMO
        Fully Qualified Account Name:    exademo.lab/Users/user 1

    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        -
        Calling Station Identifier:        192.168.a.b

    NAS:
        NAS IPv4 Address:        -
        NAS IPv6 Address:        -
        NAS Identifier:            l2tp
        NAS Port-Type:            -
        NAS Port:            0

    RADIUS Client:
        Client Friendly Name:        ASG
        Client IP Address:            192.168.x.y
    Authentication Details:
        Connection Request Policy Name:    Use Windows authentication for all users
        Network Policy Name:        astaro radius policy
        Authentication Provider:        Windows
        Authentication Server:        WIN2K12LAB.demo.lab
        Authentication Type:        MS-CHAPv2
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            66
        Reason:                The user attempted to use an authentication method that is not enabled on the matching network policy.

    ---------------------------------------------------------------

    asg device indicates CHAP error for user1.

     

    below l2tp over ipsec config.

     

  • 0 in reply to nfi

    The reason code 66 is your problem, the type of authentication has not been configured on the NPS server, review the NPS server settings.

    you can always check all is working by disabling L2TP and enabling pptp, this is not quite so secure, but it would prove whether you can make a connection.

     

    Jason

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    have you read this?

    https://community.sophos.com/kb/en-us/115050

    Jason

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Hello,

    I was not looking at the correct config part.

    By default the nps "connection request Policy" named "use Windows authentication for all users" overrides network Policy authentication settings.

    I disabled the check box and now the connection works fine.

    I should have checked first, thanks for pushing me to the right direction.

  • 0 in reply to nfi

    Glad you have it sorted now!

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?