XG - L2TP RADIUS authentication fails if "automatically use my windows login name and password" option is selected

Hi Shaun [:)]

My NPS logs were in txt files and they didn't show enough at all, I had to enable full Event Logging before I could start to pin-down the Radius issues. I ran this on my server:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

From there you'll be able to see exactly what is being passed to Radius and if it's failing. I know from my tests that the username has to be in all lower-case otherwise it doesn't seem to recognise the username correctly - though now I have mine working, I should really go and retest this!

:EDIT: I've just checked again and using some uppercase letters in the account details (from the client-side) seems to have foxed everything... I get this:

" Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
"

Hi SFIA_IT,

I ended up rasing a case on this with support, as it happens on one of my sites but not all.  The answer I received was that it's not a bug, but an additional feature request taht will be tackled in a future relase.  My answer back was that this works with UTM, so why not XG?  If you're trying to support the microsoft client, then it should work with that client - any failure to do so is not a feature, but a bug.

It's just one in a long line of problems with XG...  :(

I'm finding the same issues with XG, we've got two, there not in production yet, but I've not had so many problems setting up a firewall for years.

I'd double check your event logs to see if it's the capitalisation issue? What I read was that MS-ChapsV2 actually uses a combo of username and password (almost a hash) but it's case-sensitive. So I'm guessing your ticking of  automatically using credentials could be sending over usernames with capitalisation?

Hi,

I've setup linux PPTP VPN servers in the past - If it's anything like PPTP users in those VPNs, the account is usually sent as DOMAIN\username.  I'll try a couple of tests and see if I can replicate the problem.

Ok - I've completed my tests and found the following.

After looking at other people’s problems with L2TP on the XG forums, I came to the conclusion that XG has a problem with case sensitivity.  As you’re aware, Microsoft users are in the form…

DOMAIN\username

And each user account has a section under account that is a pre windows 2000 login name. 

This is still in the format “DOMAIN” & “username”, but if the username here has any capitals (for example, “FFlintstone”, then XG does not honour the login using the automatically supplied credentials from the windows client.  If the username is “fflintstone” the problem does not occur - you can prove this by changing the pre windows 2000 login name to lowercase yourself.

 Therefore, XG is forcing the name to be case insensitive during the negotiation with L2TP.  The problem however, is compounded because the Active Directory user creation wizards usually supply this pre windows 2000 login name as “Username” – if the user is “Fred Flintstone” then the wizard sets the pre windows 2000 login name as “FFlintstone”.

As I’ve said before, this is NOT a “feature request” – this is plainly a BUG because the automatically supplied credentials from Microsoft client are correct – XG is knobbling them by reducing them to all lower case.