Page 1 of 1
L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 1:40 pm
by abulat
Hi everybody,
I have one problem with VPN L2TP. I created local users on router and I can successfully to connect at VPN L2TP, but I tried to configure NPS from a lot of source and cant make authorization and is written Authentication Failed - Radius Timeout.
Could you please help me please with clear guide how to setup NPS for authentication of users who trying to connect at L2TP ?
Thanks in advance.
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 3:18 pm
by karlisi
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 3:25 pm
by abulat
Hi,
I tried 100% exactly this step on Windows server 2019 and nothing working
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 4:01 pm
by karlisi
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 4:10 pm
by abulat
Also doesnt work
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 4:16 pm
by karlisi
Without RADIUS works? Something in Windows Security Events?
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 4:33 pm
by abulat
Without Radius its work with local users on router
In Event is written : ID 49 The connection request did not match a configured connection request policy, so the connection request was denied by Network Policy Server.
On Mikrotik I have Request and Reject in RADIUS setting
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:05 pm
by karlisi
So, Mikrotik is connecting to NPS, but policies not match. The only suggestion is, check all settings thoroughly step by step on both sides, especially on NPS. Or start from scratch.
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:11 pm
by abulat
I Tried to do 10 time from scratch and nothing done. On Radius Client Setting Address IP should be the router IP and not from AD correct ?
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:34 pm
by mjezierski
On the Conditions -> Authentication Methods select "Unencrypted Authentication (PAP/SPAP)" and "Encrypted Authentication (CHAP)" and retest. I have Windows Server 2016 working with Mikrotik Dot1X using RADIUS with PAP and it works well.
Yes I know it's unencrypted but I'm doing MAC Address authentication on an internal network.
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:41 pm
by abulat
Not helped
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:47 pm
by tdw
You can only do PAP or MSCHAPv2 against AD, there is no way CHAP can work.
The 'Ignore user dial-in account properties' box is not ticked in your screenshots. I'm not a Windows expert, but without this I expect you have to apply a policy to the user accounts as the default is not to permit dial-in.
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:53 pm
by abulat
I tried with and without this box and nothing helped
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 5:59 pm
by karlisi
What is on Mikrotik?
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 6:01 pm
by abulat
all is configured correctly on mikrotik (Radius, ACL) but still receive this log user authentication failed
Re: L2TP with Radius Authentication
Posted: Mon Feb 15, 2021 6:05 pm
by karlisi
Sorry, no idea. On Mikrotik my only error was incorrect src-address in radius settings, there should be router's IP address.