Goal
Windows 7 VPN using L2TP over ipsec authenicating via shared secret and radius.
Setup
Astaro ASG525 settings:
Interface = external
Auth Mode = preshare key
Assign IP address = By IP address pool
Access control = radius
Radius Settings:
Using Windows 2008 R2 Network Policy Server
Radius client has firewall's IP address and shared secret
Network Policy created with conditions that the user authenicating is in a certain AD group and is connecting with MS-CHAP v2
Windows 2008 R2 default build with firewall off
Windows 7 Client VPN Settings:
Host name is external IP of firewall
Options is set to display progress while connecting and redial
Security is set to Lay 2 tunneling with ipsec
- advance has the share secret
Data encryption is set to require encryption
Allow these protocol only have Microsoft Chap Version 2 checked
PROBLEM
Put cell card into laptop and get connected to my provider
Launch VPN tunnel and I get a error 691 the remote connection was denied because the user name and password combination your provided is no recognized or the selected authenication protocl is not permitted on the remote access server.
RADIUS LOG FILE
Computer: TESTRADIUS.cei-dom.ceicmhb
Description: Network Policy Server granted access to a user.
User: CEI-DOM\laptopwin7test1
Calling Station Identifier: 75.219.10.138
NAS Identifier: l2tp
Radius Client IP Address: 172.21.1.1
Authentication Provider: Windows
Authentication Server: TESTRADIUS.cei-dom.ceicmhb
Authentication Type: MS-CHAPv2
Result: Granted Full Access
So it looks like the client connects with shared secret, the firewall passes information to radius server, the user is found and granted access.
FIREWALL LOG
xl2tpd[15845]: Call established with 75.219.167.74, Local: 14706, Remote: 1, Serial: 0
pppd-l2tp[23433]: Plugin /usr/sbin/radius.so loaded.
pppd-l2tp[23433]: RADIUS plugin initialized.
pppd-l2tp[23433]: Plugin /usr/sbin/radattr.so loaded.
pppd-l2tp[23433]: RADATTR plugin initialized.
pppd-l2tp[23433]: pppd 2.4.3 started by (unknown), uid 0
pppd-l2tp[23433]: using channel 58
pppd-l2tp[23433]: Using interface ppp0
pppd-l2tp[23433]: Connect: ppp0 /dev/pts/0
pppd-l2tp[23433]: sent [LCP ConfReq id=0x1 ]
pppd-l2tp[23433]: rcvd [LCP ConfNak id=0x1 ]
pppd-l2tp[23433]: sent [LCP ConfReq id=0x2 ]
pppd-l2tp[23433]: rcvd [LCP ConfAck id=0x2 ]
pppd-l2tp[23433]: rcvd [LCP ConfReq id=0x1 ]
pppd-l2tp[23433]: sent [LCP ConfRej id=0x1 ]
pppd-l2tp[23433]: rcvd [LCP ConfReq id=0x2 ]
pppd-l2tp[23433]: sent [LCP ConfAck id=0x2 ]
pppd-l2tp[23433]: sent [CHAP Challenge id=0xf6 , name = "Astaro Security Gateway"]
pppd-l2tp[23433]: rcvd [LCP code=0xc id=0x3 35 5b 6d 44 4d 53 52 41 53 56 35 2e 32 30]
pppd-l2tp[23433]: sent [LCP CodeRej id=0x3 0c 03 00 12 35 5b 6d 44 4d 53 52 41 53 56 35 2e 32 30]
pppd-l2tp[23433]: rcvd [LCP code=0xc id=0x4 35 5b 6d 44 4d 53 52 41 53 2d 30 2d 50 43 35 30 30 32]
pppd-l2tp[23433]: sent [LCP CodeRej id=0x4 0c 04 00 16 35 5b 6d 44 4d 53 52 41 53 2d 30 2d 50 43 35 30 30 32]
pppd-l2tp[23433]: rcvd [LCP code=0xc id=0x5 35 5b 6d 44 0f 06 cf 34 57 75 92 4c 91 ee e8 fa b1 3c 88 e7]
pppd-l2tp[23433]: sent [LCP CodeRej id=0x5 0c 05 00 18 35 5b 6d 44 0f 06 cf 34 57 75 92 4c 91 ee e8 fa b1 3c 88 e7]
pppd-l2tp[23433]: rcvd [CHAP Response id=0xf6 , name = "CEI-DOM\laptopwin7test1"]
pppd-l2tp[23433]: rc_check_reply: received invalid reply digest from RADIUS server
pppd-l2tp[23433]: Peer CEI-DOM\laptopwin7test1 failed CHAP authentication
pppd-l2tp[23433]: sent [CHAP Failure id=0xf6 ""]
pppd-l2tp[23433]: sent [LCP TermReq id=0x6 "Authentication failed"]
xl2tpd[15845]: control_finish: Connection closed to 75.219.167.74, serial 0 ()
pppd-l2tp[23433]: rcvd [LCP TermAck id=0x6 "Authentication failed"]
pppd-l2tp[23433]: Connection terminated.
pppd-l2tp[23433]: tcflush failed: Input/output error
So it looks like everything starts off good and uses MSChapv2 but switches to CHAP?
I know the password is correct in AD
According to the documentation:
For RADIUS users, Astaro Security Gateway supports the following authentication protocols:
MSCHAPv2
MSCHAP
CHAP
PAP
This thread was automatically locked due to age.
