pfsense / openvpn / radius / sbs 2011 - integration



  • Hi everyone,

    I am having a strange problem that is taking a toll on my sanity! I have configured a pfsense box with openvpn and radius authentication to my client's SBS 2011 server. Users who are to be able to access the vpn must be added to the "VPN-Users" group on the SBS server.

    For the most part, it works great. But some users who have been added to VPN-Users, can't access the VPN. I can't figure out the difference between those who do work and those who don't!

    I've taken pfsense and openvpn out of the equation by using ntradping on the server itself. It's true, the users who can use openvpn do authenticate on ntratping, and those who fail to log in to openvpn, are failing local ntradping validation.

    So the problem lies somewhere in my SBS2011 server... but where!

    If I create a brand new user and just add them to my VPN-Users group, it works out of the box.

    I followed the appropriate guide to set up pfsense/openvpn but this really does seem like a separate issue from that.

    Another interesting thing is I have 2 sites running SBS2011 and they are both running into similar issues......

    😱

    Any help that someone can provide would be greatly appreciated.


  • Netgate

    The RADIUS/NPS logs on the SBS server are probably telling you what is wrong.



  • Thanks for your reply! I'm pretty new to this, could you point me in the right direction to those logs? Thanks!



  • In case this will help any one else, I've figured this out....

    Here is a link on how to find the logs for NPS...

    https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

    Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

    In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

    If you don't see the "Dial In" tab, this may be of help :

    https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

    For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

    Hope this will help someone else.

    Thanks, Derelict for pointing me in the right direction!