SSL VPN - Radius User Authentication doesn't work

Hey ho @all:

we had the same problem with our UTM and Vasco Token Server.

Specs:

UTM ASG425 - 9.409-9

NPS - MS Server 2012

TOK - Vasco Token Server - MS Server 2012 R2

Config:

UTM has a configured AD as adirectory (and switched on auto creation of users) and our NPS as radius-server. In case a user want to go to his webportal, he can use the adirectory login. SSL VPN is set to the radius group, which uses the NPS radius server. Our NPS just redirects the NAS identifier "ssl" to our TOK.

We used tcpdump on the UTM and recognized, that our TOK/NPS always replied a successful validation of the SSL VPN user credentials, but the UTM denied the login. We are using the Sophos VPN Client (OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 25 2016) to connect to our UTM. After a few hour of searching and tcp dumping, we figured out:

- The users in the "Users & Groups" management only get the "Definitions & Users → Users & Groups → Groups → Radius Users" flag, when they logged into the WebPortal of the UTM or via VPN.

- The UTM login is CASE SeNsItIvE. We recognized this point by just allowing the users to login via radius and not AD groups to the web portal. we got duplicated users. F.e. User ABC via AD sync and user abc via radius login.

our not so nice solution: if the user doesn't have the Radius Users flag, he has to login with capital letters (ABC). The UTM gets a success message from the NPS and because it's case sensitive, it can update the auto generated AD user ABC and add the Radius User flag. Afterwards it's independant, wether the credentials are captial letters or not ;-) So we tell our users, they should always use capital letters :-) Now the login for ssl vpn works for our users with OTP via radius (NPS/TOK) and for the UTMs user portal via AD.

EDIT: There is already a bug report for this thing: https://community.sophos.com/products/unified-threat-management/astaroorg/f/utm-9-2-beta/65478/9-191-bug-otp-enabled---username-case-sensitive

It's possible, that in case of a completly fesh installed UTM, this problem will noc occur any more, but we are updating our utm for a long time ;) 

--- sorry for the confusing description, but it was a loooong day until we figured and changed the config. hope it's understandable in some way ;-)

Hey ho @all:

we had the same problem with our UTM and Vasco Token Server.

Specs:

UTM ASG425 - 9.409-9

NPS - MS Server 2012

TOK - Vasco Token Server - MS Server 2012 R2

Config:

UTM has a configured AD as adirectory (and switched on auto creation of users) and our NPS as radius-server. In case a user want to go to his webportal, he can use the adirectory login. SSL VPN is set to the radius group, which uses the NPS radius server. Our NPS just redirects the NAS identifier "ssl" to our TOK.

We used tcpdump on the UTM and recognized, that our TOK/NPS always replied a successful validation of the SSL VPN user credentials, but the UTM denied the login. We are using the Sophos VPN Client (OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jun 25 2016) to connect to our UTM. After a few hour of searching and tcp dumping, we figured out:

- The users in the "Users & Groups" management only get the "Definitions & Users → Users & Groups → Groups → Radius Users" flag, when they logged into the WebPortal of the UTM or via VPN.

- The UTM login is CASE SeNsItIvE. We recognized this point by just allowing the users to login via radius and not AD groups to the web portal. we got duplicated users. F.e. User ABC via AD sync and user abc via radius login.

our not so nice solution: if the user doesn't have the Radius Users flag, he has to login with capital letters (ABC). The UTM gets a success message from the NPS and because it's case sensitive, it can update the auto generated AD user ABC and add the Radius User flag. Afterwards it's independant, wether the credentials are captial letters or not ;-) So we tell our users, they should always use capital letters :-) Now the login for ssl vpn works for our users with OTP via radius (NPS/TOK) and for the UTMs user portal via AD.

EDIT: There is already a bug report for this thing: https://community.sophos.com/products/unified-threat-management/astaroorg/f/utm-9-2-beta/65478/9-191-bug-otp-enabled---username-case-sensitive

It's possible, that in case of a completly fesh installed UTM, this problem will noc occur any more, but we are updating our utm for a long time ;) 

--- sorry for the confusing description, but it was a loooong day until we figured and changed the config. hope it's understandable in some way ;-)