No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Login fail for L2TP/IPSec using Windows 10 as Client

Publication Date:  2017-09-07 Views:  347 Downloads:  0
Issue Description

Customer has problem with L2TP over IPSec VPN disconnect, Customer uses Windows 10 asVPN Client and the problem is when dial VPN server (USG6300 in our case) the
connection is refused due to username and password combination is not good or protocol issue, check the below results
.

 

 

Alarm Information

No alarm reported for this case.

Handling Process

First of all, we checked the IPSEC and L2TP VPN configuration and it seems everything is good, customer has configured the IPSEC IP address, preshare key, IPSEC authentication
and encryption parameters are good, and the L2TP part is also good where customer has configured the firewall like LNS and with his domain name.

The user name and password are checked using Detection function in LDAP, and it showed succeeded.

So the concern is all about protocol now, as the protocol is not permitted on the remote access, in our case the protocol that was used is CHAP for authentication and this protocol works fine with local authentication but for LDAP authentication and AD authentication this protocol doesn’t work.

So we changed this protocol to PAP and then the authentication succeeded and it works good.





Root Cause

There is a general limitation in terms of protocol combination to get complete authentication process, please check the below table, so for LDAP Server, only PAP protocol works for PPP authentication.
 


 

AAA Server Type


 

 

Supported PPP
  Authentication Types


 

 

LOCAL


 

 

PAP, CHAP, MSCHAPv1, MSCHAPv2


 

 

RADIUS


 

 

PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy


 

 

TACACS+


 

 

PAP, CHAP, MSCHAPv1


 

 

LDAP


 

 

PAP


 

 

NT


 

 

PAP


 

 

Kerberos


 

 

PAP


 

 

SDI


 

 

SDI


 

Solution

The Solution for this case is mainly by changing the authentication protocol on windows VPN connection setting by choosing properties of VPN connection à Security à Authentication à select only PAP protocol.

The second part of the solution is to check the Virtual-Template configuration, and in this case we should have PAP authentication enable and set in the ppp authentication (which is by default), so you can remove CHAP protocol or you can keep it, it doesn’t matter as long as windows configured to use PAP only and PAP is configured in the virtual interface.

interface Virtual-Template 0

  ppp authentication-mode pap   or ppp authentication-mode pap chap

 remote service-scheme
 l2tpSScheme_1493323626170 
 ip address 192.168.20.1 255.255.255.0
 alias L2TP_LNS_0

 undo service-manage enable

Suggestions

Consider protocol matching for any configuration.



END