Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense / openvpn / radius / sbs 2011 - integration

    Scheduled Pinned Locked Moved OpenVPN
    pfsense firewalopenvpn problemradiusauthentication
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eidolontubes
      last edited by

      Hi everyone,

      I am having a strange problem that is taking a toll on my sanity! I have configured a pfsense box with openvpn and radius authentication to my client's SBS 2011 server. Users who are to be able to access the vpn must be added to the "VPN-Users" group on the SBS server.

      For the most part, it works great. But some users who have been added to VPN-Users, can't access the VPN. I can't figure out the difference between those who do work and those who don't!

      I've taken pfsense and openvpn out of the equation by using ntradping on the server itself. It's true, the users who can use openvpn do authenticate on ntratping, and those who fail to log in to openvpn, are failing local ntradping validation.

      So the problem lies somewhere in my SBS2011 server... but where!

      If I create a brand new user and just add them to my VPN-Users group, it works out of the box.

      I followed the appropriate guide to set up pfsense/openvpn but this really does seem like a separate issue from that.

      Another interesting thing is I have 2 sites running SBS2011 and they are both running into similar issues......

      😱

      Any help that someone can provide would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        The RADIUS/NPS logs on the SBS server are probably telling you what is wrong.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • E
          eidolontubes
          last edited by

          Thanks for your reply! I'm pretty new to this, could you point me in the right direction to those logs? Thanks!

          1 Reply Last reply Reply Quote 0
          • E
            eidolontubes
            last edited by eidolontubes

            In case this will help any one else, I've figured this out....

            Here is a link on how to find the logs for NPS...

            https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

            Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

            In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

            If you don't see the "Dial In" tab, this may be of help :

            https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

            For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

            Hope this will help someone else.

            Thanks, Derelict for pointing me in the right direction!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.