Openvpn stops working



  • Dear All,
    my open VPN has worked fine for the last year, today i've tried to log in remotely it stops working.
    i am using RADUIS over the Domain controller with SSL certificate.
    i went to the Diagnostic and  Authentication and tried to check the Raduis
    but the system keeps saying :
    The following input errors were detected:

    Authentication failed.

    i've checked on the Domain controller server both ports :
    1812 and 1813 both are listening.

    any suggestions how could such thing happend ?

    thank you



  • RADIUS is rejecting the authentication. You'll have to look at the NPS and security event logs on your domain controller to see why. A packet capture of the RADIUS traffic might be helpful, in that it'll at least confirm or deny whether the server is replying at all. No reply means a host firewall on the server is the likely cause, an error code reply at least will rule that out but probably not more beyond that, the Windows logs will be necessary to get any kind of specifics.



  • @cmb:

    RADIUS is rejecting the authentication. You'll have to look at the NPS and security event logs on your domain controller to see why. A packet capture of the RADIUS traffic might be helpful, in that it'll at least confirm or deny whether the server is replying at all. No reply means a host firewall on the server is the likely cause, an error code reply at least will rule that out but probably not more beyond that, the Windows logs will be necessary to get any kind of specifics.

    i turned the firewall off on the domain controller, and it didn't works !
    the NPS Event are the next :

    "DC","IAS",10/19/2014,20:17:19,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","192.168.2.4",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 48",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "DC","IAS",10/19/2014,20:17:19,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 48",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "DC","IAS",10/19/2014,20:17:28,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","192.168.2.4",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "DC","IAS",10/19/2014,20:17:28,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 49",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "DC","IAS",10/19/2014,20:23:52,1,"julien","Julien.lan/Users/Julien Angelo",,,,,"Pfsense.domain.nl","0.0.0.0",,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",0,"311 1 192.168.4.2 10/19/2014 15:16:24 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    "DC","IAS",10/19/2014,20:23:52,3,,"Julien.lan/Users/Julien Angelo",,,,,,,,0,"192.168.4.1","VPN-Server",,,,,,,1,"Connections to other access servers",65,"311 1 192.168.4.2 10/19/2014 15:16:24 50",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
    

    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: Connections to other access servers
    Authentication Provider: Windows
    Authentication Server: DC.Domain.lan
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 65
    Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

    and from the client side it said the username or password is invalid !
    Note : i have rebooted both Domain controller and Pfsense. but no changes

    thank you



  • i am answering my questions,
    people with the same problem follow the next

    Within NPS, goto:
    •Policies >> Network Policies
    •Disabled "Connections to other access servers"

    This corrected the issue and just to be safe and Ordered the policies as follows:
    1.Connections to Microsoft Routing and Remote Access server (Enabled)
    2.Allow pfSense (Enabled)
    3.Connections to other access servers (Disabled)



  • "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

    That's your problem, fix your Windows account and/or NPS policy.

    NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.



  • @cmb:

    "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

    That's your problem, fix your Windows account and/or NPS policy.

    NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.

    @cmb:

    "The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user."

    That's your problem, fix your Windows account and/or NPS policy.

    NPS will only reply with essentially one of two things - auth failed, or auth successful. To get details as to why it fails when it does, you have to check the Windows side.

    hi cmb
    i've checked this permission and was set ok, i even change it to the allow permission and it didn't works,
    this happens after the latest microsoft update probably they miss with the settings of the NPS,
    after i disabled the connection to other devices.
    voila everything start working !
    i am really curious to understand what changes are happend.
    other customers are working fine and had the same update lately on their OS but the settings are still the same
    i am very curious to know the changes that happens.