PPTP/L2TP VPN with Radius (NAP) authentication issue
-
Hello everyone,
I’m new to pfsense and I’m figuring an issue that I need your help to resolve ! I’m trying to configure a VPN, PPTP or L2TP, with a radius authentication based on a Windows server NAP Radius. I configure the NAP to accept CHAP, CHAPv2 as I see that PPTP and L2TP don’t use the same protocol. The L2TP server is configure on the WAN interface with 10.0.3.100 as server address and 10.0.3.1/24 for the address range (20 users available). The authentication is CHAP, the radius server is my AD server with the correct preshared key. I don’t describe the PPTP server as the result is the same…
When I try to connect the L2TP client computer, the username/password is given to pfsense and it goes to the radius server. In the event viewer, I see the login request :
Network Policy Server / Audit success : Network Policy Server granted full access to a user because the host met the defined health policy.
BUT… the log in pfsense is completely different:
In System Log / VPN / L2TP RAW :
Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Configure Ack #22 (Ack-Sent)
Aug 28 17:05:41 l2tps: ACFCOMP
Aug 28 17:05:41 l2tps: PROTOCOMP
Aug 28 17:05:41 l2tps: MRU 1500
Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Ack-Sent –> Opened
Aug 28 17:05:41 l2tps: [l2tp0] LCP: auth: peer wants nothing, I want CHAP
Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending CHALLENGE len:26
Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerUp
Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #2 (Opened)
Aug 28 17:05:41 l2tps: MESG: MSRASV5.20
Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #3 (Opened)
Aug 28 17:05:41 l2tps: MESG: MSRAS-0-CLIENT-WIN8
Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #4 (Opened)
Aug 28 17:05:41 l2tps: MESG: Ì'^HëÊz-EM-^_uÔüWG?
Aug 28 17:05:41 l2tps: [l2tp0] CHAP: rec'd RESPONSE #1
Aug 28 17:05:41 l2tps: Name: "test"
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread started
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying RADIUS
Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: RadiusAuthenticate for: test
Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: rad_send_request failed: No valid RADIUS responses received
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: RADIUS returned undefined
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying INTERNAL
Aug 28 17:05:41 l2tps: AUTH: User "test" not found in secret file
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: INTERNAL returned failed
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: ran out of backends
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread finished normally
Aug 28 17:05:41 l2tps: [l2tp0] CHAP: ChapInputFinish: status failed
Aug 28 17:05:41 l2tps: Reply message: Login incorrect
Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending FAILURE len:15
Aug 28 17:05:41 l2tps: [l2tp0] LCP: authorization failed
Aug 28 17:05:41 l2tps: [l2tp0] LCP: parameter negotiation failed
Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Opened –> Stopping
Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Cleanup
Aug 28 17:05:41 l2tps: [l2tp0] LCP: SendTerminateReq #23
Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerDown
Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Terminate Ack #23 (Stopping)
Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopping –> Stopped
Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerFinish
Aug 28 17:05:41 l2tps: [l2tp0] link: DOWN event
Aug 28 17:05:41 l2tps: [l2tp0] LCP: Close event
Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopped –> Closed
Aug 28 17:05:41 l2tps: [l2tp0] LCP: Down event
Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Closed –> Initial
Aug 28 17:05:41 l2tps: [l2tp0] L2TP: Call #0 terminated locally
Aug 28 17:05:41 l2tps: L2TP: Control connection 0x801a11d08 terminated: 0 (no more sessions exist in this tunnel)As I can understand, pfsense don’t receive the response / authorization from the radius ! Why this could happened when the request is allowed by the radius server ? I disable the firewall on windows, check the firewall on pfsense and I don’t find a problem on this side either. The firewall from the lan to the pfsense server is full open except to a specific subnet:
IPv4 * / source * / destination ! subnet X / port * / Gateway *The pfsense server and my windows server are on the same subnet (10.0.1.0/24). I tried to request a authentication from another computer on this subnet, using Radius Test tool and it’s working well.
If anyone of you could have an idea to help me, it will be greatly appreciate !!
Thanks in advanced,
siceff -
Does anyone have an idea to resolve my problem ? Am I on the false forum track ?
-
I'm sorry to come back with my question, but does that mean:
-
Anyone do a VPN (any type) with radius authentication or
-
I'm the only one who have a problem to configure it ?
I'll be happy if someone tell me if it's possible or not to do that this way ! I don't know how to continue with my problem…
Thanks for your help ! -
-
People use RADIUS all the time with VPNs (especially OpenVPN and IPsec).
L2TP on its own has no encryption so it's not a common choice for a VPN currently. L2TP is not the same as L2TP+IPsec. That may work soon-ish on 2.2 but not on 2.1.x.
The response you get means the RADIUS server did not return a successful login message. That is between your RADIUS settings and your RADIUS server. It could be anything from the wrong IP/port to having the wrong shared secret or even the server sending back a rejection. The RADIUS server logs would have more detail.
Or you can packet capture the RADIUS request and inspect it in wireshark to see what's really going on.
-
Thanks for your feedback !
I change the VPN type to PPTP for now, just to continue to test the radius. I also add PPTP to the post's title.The problem is still the same : I define the radius server in PPTP VPN, with "Remote address rang", "Radius for authentication et accounting", "Radius IP server and port (1812-1813)" and secret. When I connect the PPTP VPN, the RADIUS server log a: "Network Policy Server granted full access to a user because the host met the defined health policy.". If I enter a wrong password, it also reject the connexion, that's correct.
BUT on pfsense, the log still says that it do not recieve a valid response from the Radius server : "pptps: [pt0] RADIUS: rad_send_request failed: No valid RADIUS responses received". Is there any format or encryption that is required by pfsense ? I will try to check the network packet to understand the problem as proposed.
I also check to connect the VPN using a local user/password and of course, everything work fine.
-
OK, I've done a capture :
from 10.0.1.1 (pfsense) to 10.0.1.2 (radius), protocole RADIUS, length 213, Acess-Request(1), packet id 0x33
from 10.0.1.2 (radius) to 10.0.1.1 (pfsense), protocole RADIUS, length 316, Acess-Accept(2), packet id 0x33So it seems to be right. I didn't notice that I use 2.1.4 pfsense version. I will upgrade to 2.1.5 to see if something change.
Here is the full accept packet :
10.0.1.2.1812 > 10.0.1.1.56013: [udp sum ok] RADIUS, length: 274 Access Accept (2), id: 0x33, Authenticator: daa0623fd549b2c437f3416afb2a8187 Framed Protocol Attribute (7), length: 6, Value: PPP 0x0000: 0000 0001 Service Type Attribute (6), length: 6, Value: Framed 0x0000: 0000 0002 Class Attribute (25), length: 46, Value: H... 0x0000: 4810 05cc 0000 0137 0001 0200 0a00 0102 0x0010: 0000 0000 0000 0000 0000 0000 01cf d33f 0x0020: e2c2 cfd6 0000 0000 0000 0058 Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 34, Value: €;+....h.*Q..G...E.7I`.......a.C.Z 0x0000: 0000 0137 1124 803b 2bd1 9be2 9e68 f22a 0x0010: 51b6 da47 098e d945 9337 4960 931c a01a 0x0020: d6aa d961 e043 905a Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 34, Value: €<n..:nt.h.l.zs9@.x..$o>.Ib.B.wq$. 0x0000: 0000 0137 1024 803c 4ed0 ef3a 4e74 f268 0x0010: f94c a57a 7339 40f3 7807 9a24 6f3e c449 0x0020: 62c3 421c 7771 249b Vendor Specific Attribute (26), length: 51, Value: Vendor: Microsoft (311) Vendor Attribute: 26, Length: 43, Value: .S=74DDCEFDC005BA161B6890AFB69EA4CD388D52FF 0x0000: 0000 0137 1a2d 0153 3d37 3444 4443 4546 0x0010: 4443 3030 3542 4131 3631 4236 3839 3041 0x0020: 4642 3639 4541 3443 4433 3838 4435 3246 0x0030: 46 Vendor Specific Attribute (26), length: 13, Value: Vendor: Microsoft (311) Vendor Attribute: 10, Length: 5, Value: .ESSI 0x0000: 0000 0137 0a07 0145 5353 49 Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 14, Length: 4, Value: ...2 0x0000: 0000 0137 0e06 0000 0032 Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 15, Length: 4, Value: ...x 0x0000: 0000 0137 0f06 0000 0078 Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 7, Length: 4, Value: .... 0x0000: 0000 0137 0706 0000 0002 Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311) Vendor Attribute: 8, Length: 4, Value: .... 0x0000: 0000 0137 0806 0000 000e</n..:nt.h.l.zs9@.x..$o>
-
Hello,
So, after upgrading to 2.1.5, recreate the whole vpn pptp configuration, make again the radius (NPS) Policy rule, the VPN is working.
But I still not understand what happend because the packet (radius request and accept) are still the same :PMaybe a small error configuration ? certainly. Thanks again to jimp for his help. See you.