XG v18 and L2TP/RADIUS Authentification

Hey Ben,

I had a similar issue also in V17.5. My issue was when I used LDAP / Windows 10 / L2TP I needed to enable PAP in both the XG VPN and Windows 10 VPN adaptor settings.

This article shows you the table and how to change it to PAP

https://community.sophos.com/kb/en-us/123169

Then in the Windows 10 VPN Adaptor open Properties and Security and enable PAP

Then users can Authenticate L2TP with AD Credentials.

It might be the same for you with the RADIUS and the XG talking to AD.

This might be worth a try to see if it fixes your issue also?

Hi Ben,

This should all work fine.

If you are using the XG builtin "Test Connection" button then you must have PAP enabled on your NPS policy.  This is due to the fact that the XG RADIUS client sends the connection test in PAP.

For the iPhone, you must remember to set a "local ID" on the L2TP connection you have set up.

Have you tested with any other device?  Has this device been successful?

You could run a packet capture on the XG and review it in Wireshark to see what the RADIUS server is sending the XG.  If the RADIUS server is sending the XG "Access Accept" then we need to look at the XG's access_server.log file in the "Advanced Console".  If the XG shows successful but the iPhone is not allowing the connection, then we need to dig from the iPhone side.  However at that point, if you are a paid user, I would suggest opening a case with support.

Let us know how it goes with the troubleshooting.

Thanks!

Hello KingChris,

Now I'm one step further. I have configured the NPS server according to these instructions:
community.sophos.com/.../132293

When I press the "test Connection" button in the RADIUS server configuration, I get a: "Device-RADIUS server connectivity test was successful". So far, so good.

In the next step I take a Windows 10 client and set up a L2TP VPN connection. After I have entered my username and password, I get a message that the username or password is wrong. If I now look at the NPS server in the log, I see that the wrong "Connection Request Policy" is being used.
Do you have an explanation what makes the XG test different from the "real" VPN connection?

Thanks,

Ben

Hello Community,

I checked the RADIUS requests with Wireshark. The first one is the request when I click on "Test Connection". All parameters in the request are as described in the KB article and the test is OK. The second screenshot is when I try to establish a L2TP VPN connection with the Windows Client. It is completely different from the first one.

"Test Connection":

Windows L2TP Client:

Has anybody a working setup with Sophos XG v18, RADIUS (Windows NPS-Server) and a Windows 10 Client?

Thanks,

Ben

Hello Community,

I have made the settings on the NPS server as shown in the dump This makes it possible to perform RADIUS authentication. 

Ben