Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PPTP/L2TP VPN with Radius (NAP) authentication issue

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      siceff
      last edited by

      Hello everyone,

      I’m new to pfsense and I’m figuring an issue that I need your help to resolve ! I’m trying to configure a VPN, PPTP or L2TP, with a radius authentication based on a Windows server NAP Radius. I configure the NAP to accept CHAP, CHAPv2 as I see that PPTP and L2TP don’t use the same protocol. The L2TP server is configure on the WAN interface with 10.0.3.100 as server address and 10.0.3.1/24 for the address range (20 users available). The authentication is CHAP, the radius server is my AD server with the correct preshared key. I don’t describe the PPTP server as the result is the same…

      When I try to connect the L2TP client computer, the username/password is given to pfsense and it goes to the radius server. In the event viewer, I see the login request :

      Network Policy Server / Audit success : Network Policy Server granted full access to a user because the host met the defined health policy.

      BUT… the log in pfsense is completely different:
      In System Log / VPN / L2TP RAW :
      Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
      Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Configure Ack #22 (Ack-Sent)
      Aug 28 17:05:41 l2tps: ACFCOMP
      Aug 28 17:05:41 l2tps: PROTOCOMP
      Aug 28 17:05:41 l2tps: MRU 1500
      Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
      Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Ack-Sent –> Opened
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: auth: peer wants nothing, I want CHAP
      Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending CHALLENGE len:26
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerUp
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #2 (Opened)
      Aug 28 17:05:41 l2tps: MESG: MSRASV5.20
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #3 (Opened)
      Aug 28 17:05:41 l2tps: MESG: MSRAS-0-CLIENT-WIN8
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #4 (Opened)
      Aug 28 17:05:41 l2tps: MESG: Ì'^HëÊz-EM-^_®uÔüWG?
      Aug 28 17:05:41 l2tps: [l2tp0] CHAP: rec'd RESPONSE #1
      Aug 28 17:05:41 l2tps: Name: "test"
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread started
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying RADIUS
      Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: RadiusAuthenticate for: test
      Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: rad_send_request failed: No valid RADIUS responses received
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: RADIUS returned undefined
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying INTERNAL
      Aug 28 17:05:41 l2tps: AUTH: User "test" not found in secret file
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: INTERNAL returned failed
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: ran out of backends
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread finished normally
      Aug 28 17:05:41 l2tps: [l2tp0] CHAP: ChapInputFinish: status failed
      Aug 28 17:05:41 l2tps: Reply message: Login incorrect
      Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending FAILURE len:15
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: authorization failed
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: parameter negotiation failed
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Opened –> Stopping
      Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Cleanup
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: SendTerminateReq #23
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerDown
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Terminate Ack #23 (Stopping)
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopping –> Stopped
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerFinish
      Aug 28 17:05:41 l2tps: [l2tp0] link: DOWN event
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: Close event
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopped –> Closed
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: Down event
      Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Closed –> Initial
      Aug 28 17:05:41 l2tps: [l2tp0] L2TP: Call #0 terminated locally
      Aug 28 17:05:41 l2tps: L2TP: Control connection 0x801a11d08 terminated: 0 (no more sessions exist in this tunnel)

      As I can understand, pfsense don’t receive the response / authorization from the radius ! Why this could happened when the request is allowed by the radius server ? I disable the firewall on windows, check the firewall on pfsense and I don’t find a problem on this side either. The firewall from the lan to the pfsense server is full open except to a specific subnet:
      IPv4 * / source * / destination ! subnet X / port * / Gateway *

      The pfsense server and my windows server are on the same subnet (10.0.1.0/24). I tried to request a authentication from another computer on this subnet, using Radius Test tool and it’s working well.

      If anyone of you could have an idea to help me, it will be greatly appreciate !!
      Thanks in advanced,
          siceff

      1 Reply Last reply Reply Quote 0
      • S
        siceff
        last edited by

        Does anyone have an idea to resolve my problem ? Am I on the false forum track ?

        1 Reply Last reply Reply Quote 0
        • S
          siceff
          last edited by

          I'm sorry to come back with my question, but does that mean:

          • Anyone do a VPN (any type) with radius authentication or

          • I'm the only one who have a problem to configure it ?

          I'll be happy if someone tell me if it's possible or not to do that this way ! I don't know how to continue with my problem…
          Thanks for your help !

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            People use RADIUS all the time with VPNs (especially OpenVPN and IPsec).

            L2TP on its own has no encryption so it's not a common choice for a VPN currently. L2TP is not the same as L2TP+IPsec. That may work soon-ish on 2.2 but not on 2.1.x.

            The response you get means the RADIUS server did not return a successful login message. That is between your RADIUS settings and your RADIUS server. It could be anything from the wrong IP/port to having the wrong shared secret or even the server sending back a rejection. The RADIUS server logs would have more detail.

            Or you can packet capture the RADIUS request and inspect it in wireshark to see what's really going on.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              siceff
              last edited by

              Thanks for your feedback !
              I change the VPN type to PPTP for now, just to continue to test the radius. I also add PPTP to the post's title.

              The problem is still the same : I define the radius server in PPTP VPN, with "Remote address rang", "Radius for authentication et accounting", "Radius IP server and port (1812-1813)" and secret. When I connect the PPTP VPN, the RADIUS server log a: "Network Policy Server granted full access to a user because the host met the defined health policy.". If I enter a wrong password, it also reject the connexion, that's correct.

              BUT on pfsense, the log still says that it do not recieve a valid response from the Radius server : "pptps: [pt0] RADIUS: rad_send_request failed: No valid RADIUS responses received". Is there any format or encryption that is required by pfsense ? I will try to check the network packet to understand the problem as proposed.

              I also check to connect the VPN using a local user/password and of course, everything work fine.

              1 Reply Last reply Reply Quote 0
              • S
                siceff
                last edited by

                OK, I've done a capture :
                from 10.0.1.1 (pfsense) to 10.0.1.2 (radius), protocole RADIUS, length 213, Acess-Request(1), packet id 0x33
                from 10.0.1.2 (radius) to 10.0.1.1 (pfsense), protocole RADIUS, length 316, Acess-Accept(2), packet id 0x33

                So it seems to be right. I didn't notice that I use 2.1.4 pfsense version. I will upgrade to 2.1.5 to see if something change.

                Here is the full accept packet :

                 10.0.1.2.1812 > 10.0.1.1.56013: [udp sum ok] RADIUS, length: 274
                	Access Accept (2), id: 0x33, Authenticator: daa0623fd549b2c437f3416afb2a8187
                	  Framed Protocol Attribute (7), length: 6, Value: PPP
                	    0x0000:  0000 0001
                	  Service Type Attribute (6), length: 6, Value: Framed
                	    0x0000:  0000 0002
                	  Class Attribute (25), length: 46, Value: H...
                	    0x0000:  4810 05cc 0000 0137 0001 0200 0a00 0102
                	    0x0010:  0000 0000 0000 0000 0000 0000 01cf d33f
                	    0x0020:  e2c2 cfd6 0000 0000 0000 0058
                	  Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 17, Length: 34, Value: €;+....h.*Q..G...E.7I`.......a.C.Z
                	    0x0000:  0000 0137 1124 803b 2bd1 9be2 9e68 f22a
                	    0x0010:  51b6 da47 098e d945 9337 4960 931c a01a
                	    0x0020:  d6aa d961 e043 905a
                	  Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 16, Length: 34, Value: €<n..:nt.h.l.zs9@.x..$o>.Ib.B.wq$.
                	    0x0000:  0000 0137 1024 803c 4ed0 ef3a 4e74 f268
                	    0x0010:  f94c a57a 7339 40f3 7807 9a24 6f3e c449
                	    0x0020:  62c3 421c 7771 249b
                	  Vendor Specific Attribute (26), length: 51, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 26, Length: 43, Value: .S=74DDCEFDC005BA161B6890AFB69EA4CD388D52FF
                	    0x0000:  0000 0137 1a2d 0153 3d37 3444 4443 4546
                	    0x0010:  4443 3030 3542 4131 3631 4236 3839 3041
                	    0x0020:  4642 3639 4541 3443 4433 3838 4435 3246
                	    0x0030:  46
                	  Vendor Specific Attribute (26), length: 13, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 10, Length: 5, Value: .ESSI
                	    0x0000:  0000 0137 0a07 0145 5353 49
                	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 14, Length: 4, Value: ...2
                	    0x0000:  0000 0137 0e06 0000 0032
                	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 15, Length: 4, Value: ...x
                	    0x0000:  0000 0137 0f06 0000 0078
                	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 7, Length: 4, Value: ....
                	    0x0000:  0000 0137 0706 0000 0002
                	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
                	    Vendor Attribute: 8, Length: 4, Value: ....
                	    0x0000:  0000 0137 0806 0000 000e</n..:nt.h.l.zs9@.x..$o> 
                
                1 Reply Last reply Reply Quote 0
                • S
                  siceff
                  last edited by

                  Hello,
                  So, after upgrading to 2.1.5, recreate the whole vpn pptp configuration, make again the radius (NPS) Policy rule, the VPN is working.
                  But I still not understand what happend because the packet (radius request and accept) are still the same  :P

                  Maybe a small error configuration ? certainly. Thanks again to jimp for his help. See you.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.