Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2367 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RADIUS authentication for PPTP and L2TP, user not able to change password when expired or force changed

Paul Blakeley

We are having issues with RADIUS authentication for PPTP and L2TP (on a Sophos UTM SG 550, version 9.701-6), VPN users are able to authenticate without any issues, our issue is when a users password expires or we force a password change they are not prompted to say their password as expired/change required and to set a new one, the network policy on the radius server though does have "User can change password after it has expired" enabled. Is this a limitation on the UTM that doesnt allow this feature?. The radius server is on a Domain Controller and on Windows Server 2012r2. The users connect to the VPN using the Windows 10 inbuilt VPN connection. All the end user gets when their password as expired or we have forced a password change is the error "The remote connection was denied because the user name and password combination you provided is not recognized, or the select authentication protocol is not permitted on the remote access server". This is a feature that we have never managed to get working, i have logged a ticket with support but they just state its an issue with the radius server which i guess it could well be, but just looking if anyone does have this working and any ideas what the issue or could. 



This thread was automatically locked due to age.
Parents
  • 0

    No, I'd forgotten that one can only change the password in the User Portal if the user object is Locally Authenticated.

    I think you're stuck.  I can only see two possibilities:

    1. Manually change the password for such users and ask them to change again it after they've logged into Remote Access.
    2. Stop forcing password changes and require users to change their password themselves on a specific schedule.

    If you discover a more-secure workaround, please post it back here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    Many thanks for your reply.

    I think the best way forward here would be to move away from using Radius (PPTP/l2tp) and going with the ssl vpn option on the utm, would you agree with that stance?. Do you know if this option would allow the end user to change their password if it had expired or we forced to change on next logon?.

    Thanks Paul

  • 0 in reply to Paul Blakeley

    My preference is the SSL VPN, Paul.  I don't know, but I would expect problems with any remote access method if you expire passwords instead of forcing a change on the next login.  I'll be interested to now your results with a test case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Paul Blakeley

    My preference is the SSL VPN, Paul.  I don't know, but I would expect problems with any remote access method if you expire passwords instead of forcing a change on the next login.  I'll be interested to now your results with a test case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML