PPTP/L2TP VPN with Radius (NAP) authentication issue



  • Hello everyone,

    I’m new to pfsense and I’m figuring an issue that I need your help to resolve ! I’m trying to configure a VPN, PPTP or L2TP, with a radius authentication based on a Windows server NAP Radius. I configure the NAP to accept CHAP, CHAPv2 as I see that PPTP and L2TP don’t use the same protocol. The L2TP server is configure on the WAN interface with 10.0.3.100 as server address and 10.0.3.1/24 for the address range (20 users available). The authentication is CHAP, the radius server is my AD server with the correct preshared key. I don’t describe the PPTP server as the result is the same…

    When I try to connect the L2TP client computer, the username/password is given to pfsense and it goes to the radius server. In the event viewer, I see the login request :

    Network Policy Server / Audit success : Network Policy Server granted full access to a user because the host met the defined health policy.

    BUT… the log in pfsense is completely different:
    In System Log / VPN / L2TP RAW :
    Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
    Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Configure Ack #22 (Ack-Sent)
    Aug 28 17:05:41 l2tps: ACFCOMP
    Aug 28 17:05:41 l2tps: PROTOCOMP
    Aug 28 17:05:41 l2tps: MRU 1500
    Aug 28 17:05:41 l2tps: MAGICNUM f130ff62
    Aug 28 17:05:41 l2tps: AUTHPROTO CHAP MD5
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Ack-Sent –> Opened
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: auth: peer wants nothing, I want CHAP
    Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending CHALLENGE len:26
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerUp
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #2 (Opened)
    Aug 28 17:05:41 l2tps: MESG: MSRASV5.20
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #3 (Opened)
    Aug 28 17:05:41 l2tps: MESG: MSRAS-0-CLIENT-WIN8
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Ident #4 (Opened)
    Aug 28 17:05:41 l2tps: MESG: Ì'^HëÊz-EM-^_®uÔüWG?
    Aug 28 17:05:41 l2tps: [l2tp0] CHAP: rec'd RESPONSE #1
    Aug 28 17:05:41 l2tps: Name: "test"
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread started
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying RADIUS
    Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: RadiusAuthenticate for: test
    Aug 28 17:05:41 l2tps: [l2tp0] RADIUS: rad_send_request failed: No valid RADIUS responses received
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: RADIUS returned undefined
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Trying INTERNAL
    Aug 28 17:05:41 l2tps: AUTH: User "test" not found in secret file
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: INTERNAL returned failed
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: ran out of backends
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Auth-Thread finished normally
    Aug 28 17:05:41 l2tps: [l2tp0] CHAP: ChapInputFinish: status failed
    Aug 28 17:05:41 l2tps: Reply message: Login incorrect
    Aug 28 17:05:41 l2tps: [l2tp0] CHAP: sending FAILURE len:15
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: authorization failed
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: parameter negotiation failed
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Opened –> Stopping
    Aug 28 17:05:41 l2tps: [l2tp0] AUTH: Cleanup
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: SendTerminateReq #23
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerDown
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: rec'd Terminate Ack #23 (Stopping)
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopping –> Stopped
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: LayerFinish
    Aug 28 17:05:41 l2tps: [l2tp0] link: DOWN event
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: Close event
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Stopped –> Closed
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: Down event
    Aug 28 17:05:41 l2tps: [l2tp0] LCP: state change Closed –> Initial
    Aug 28 17:05:41 l2tps: [l2tp0] L2TP: Call #0 terminated locally
    Aug 28 17:05:41 l2tps: L2TP: Control connection 0x801a11d08 terminated: 0 (no more sessions exist in this tunnel)

    As I can understand, pfsense don’t receive the response / authorization from the radius ! Why this could happened when the request is allowed by the radius server ? I disable the firewall on windows, check the firewall on pfsense and I don’t find a problem on this side either. The firewall from the lan to the pfsense server is full open except to a specific subnet:
    IPv4 * / source * / destination ! subnet X / port * / Gateway *

    The pfsense server and my windows server are on the same subnet (10.0.1.0/24). I tried to request a authentication from another computer on this subnet, using Radius Test tool and it’s working well.

    If anyone of you could have an idea to help me, it will be greatly appreciate !!
    Thanks in advanced,
        siceff



  • Does anyone have an idea to resolve my problem ? Am I on the false forum track ?



  • I'm sorry to come back with my question, but does that mean:

    • Anyone do a VPN (any type) with radius authentication or

    • I'm the only one who have a problem to configure it ?

    I'll be happy if someone tell me if it's possible or not to do that this way ! I don't know how to continue with my problem…
    Thanks for your help !


  • Rebel Alliance Developer Netgate

    People use RADIUS all the time with VPNs (especially OpenVPN and IPsec).

    L2TP on its own has no encryption so it's not a common choice for a VPN currently. L2TP is not the same as L2TP+IPsec. That may work soon-ish on 2.2 but not on 2.1.x.

    The response you get means the RADIUS server did not return a successful login message. That is between your RADIUS settings and your RADIUS server. It could be anything from the wrong IP/port to having the wrong shared secret or even the server sending back a rejection. The RADIUS server logs would have more detail.

    Or you can packet capture the RADIUS request and inspect it in wireshark to see what's really going on.



  • Thanks for your feedback !
    I change the VPN type to PPTP for now, just to continue to test the radius. I also add PPTP to the post's title.

    The problem is still the same : I define the radius server in PPTP VPN, with "Remote address rang", "Radius for authentication et accounting", "Radius IP server and port (1812-1813)" and secret. When I connect the PPTP VPN, the RADIUS server log a: "Network Policy Server granted full access to a user because the host met the defined health policy.". If I enter a wrong password, it also reject the connexion, that's correct.

    BUT on pfsense, the log still says that it do not recieve a valid response from the Radius server : "pptps: [pt0] RADIUS: rad_send_request failed: No valid RADIUS responses received". Is there any format or encryption that is required by pfsense ? I will try to check the network packet to understand the problem as proposed.

    I also check to connect the VPN using a local user/password and of course, everything work fine.



  • OK, I've done a capture :
    from 10.0.1.1 (pfsense) to 10.0.1.2 (radius), protocole RADIUS, length 213, Acess-Request(1), packet id 0x33
    from 10.0.1.2 (radius) to 10.0.1.1 (pfsense), protocole RADIUS, length 316, Acess-Accept(2), packet id 0x33

    So it seems to be right. I didn't notice that I use 2.1.4 pfsense version. I will upgrade to 2.1.5 to see if something change.

    Here is the full accept packet :

     10.0.1.2.1812 > 10.0.1.1.56013: [udp sum ok] RADIUS, length: 274
    	Access Accept (2), id: 0x33, Authenticator: daa0623fd549b2c437f3416afb2a8187
    	  Framed Protocol Attribute (7), length: 6, Value: PPP
    	    0x0000:  0000 0001
    	  Service Type Attribute (6), length: 6, Value: Framed
    	    0x0000:  0000 0002
    	  Class Attribute (25), length: 46, Value: H...
    	    0x0000:  4810 05cc 0000 0137 0001 0200 0a00 0102
    	    0x0010:  0000 0000 0000 0000 0000 0000 01cf d33f
    	    0x0020:  e2c2 cfd6 0000 0000 0000 0058
    	  Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 17, Length: 34, Value: €;+....h.*Q..G...E.7I`.......a.C.Z
    	    0x0000:  0000 0137 1124 803b 2bd1 9be2 9e68 f22a
    	    0x0010:  51b6 da47 098e d945 9337 4960 931c a01a
    	    0x0020:  d6aa d961 e043 905a
    	  Vendor Specific Attribute (26), length: 42, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 16, Length: 34, Value: €<n..:nt.h.l.zs9@.x..$o>.Ib.B.wq$.
    	    0x0000:  0000 0137 1024 803c 4ed0 ef3a 4e74 f268
    	    0x0010:  f94c a57a 7339 40f3 7807 9a24 6f3e c449
    	    0x0020:  62c3 421c 7771 249b
    	  Vendor Specific Attribute (26), length: 51, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 26, Length: 43, Value: .S=74DDCEFDC005BA161B6890AFB69EA4CD388D52FF
    	    0x0000:  0000 0137 1a2d 0153 3d37 3444 4443 4546
    	    0x0010:  4443 3030 3542 4131 3631 4236 3839 3041
    	    0x0020:  4642 3639 4541 3443 4433 3838 4435 3246
    	    0x0030:  46
    	  Vendor Specific Attribute (26), length: 13, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 10, Length: 5, Value: .ESSI
    	    0x0000:  0000 0137 0a07 0145 5353 49
    	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 14, Length: 4, Value: ...2
    	    0x0000:  0000 0137 0e06 0000 0032
    	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 15, Length: 4, Value: ...x
    	    0x0000:  0000 0137 0f06 0000 0078
    	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 7, Length: 4, Value: ....
    	    0x0000:  0000 0137 0706 0000 0002
    	  Vendor Specific Attribute (26), length: 12, Value: Vendor: Microsoft (311)
    	    Vendor Attribute: 8, Length: 4, Value: ....
    	    0x0000:  0000 0137 0806 0000 000e</n..:nt.h.l.zs9@.x..$o> 
    


  • Hello,
    So, after upgrading to 2.1.5, recreate the whole vpn pptp configuration, make again the radius (NPS) Policy rule, the VPN is working.
    But I still not understand what happend because the packet (radius request and accept) are still the same  :P

    Maybe a small error configuration ? certainly. Thanks again to jimp for his help. See you.


Log in to reply