We are currently trying to setup a VPN solution with lots of road warriors and Active Directory single sign on. We cannot have separate logins for Windows and the VPN, or require additional VPN client software to be installed - this has to work out-of-the-box. Setting up a VPN connection in Windows is about all the users can manage.
We are evaluating Sophos UTM as central access server with L2TP remote access, and a NAP service on the domain controller as RADIUS server for backend authentication.
All works well, users can use the native Windows functionality to logon via the VPN "dial-up" connection and can authenticate against the domain.
BUT: If we set an user's account to "user must change password at next logon", the VPN connection fails. Presumably the RADIUS response is not "password okay", but "password is expired, change now" and the UTM somehow fails to interpret this correctly.
Is there any way around this? Is there anything we have to configure in the NAP?
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
