NSA 2400 - Cannot successfully authenticate against Active Directory over L2TP VPN
Dear Sonicwall Community,
I am trying to connect with L2TP VPN using windows VPN-client but I get this error when I logon with a user imported from LDAP;
"The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the administrator of the RAS server and notify them if this error."
However, if I use an user that is not imported from LDAP, it is connecting without any issues.
Now, L2TP is enabled on the firewall and is configured with MSCHAPv2 as authentication protocol.
Also, windows VPN connection is using MSChapv2, it was added with this powershell command:
Add-VpnConnection -Name "company name" -ServerAddress "company.com" -Tunneltype "L2tp" -L2tpPsk "pre-shared-key" -AuthenticationMethod MSChapv2 -EncryptionLevel "Required" -Force
NPS server is also configured with MSChapv2:
Does anyone have a clue why I'm still getting an authentication error? Is there anything I should configure differently?
We are having issues with teams and navision over Global VPN Client, therefore it would be great if we could authenticate users imported from LDAP so I do not have to create a new user for everyone using VPN in my company.
Answers
Hi @JUNGLEWIZARD,
Thank you for visiting SonicWall Community.
Did you get chance to check the setting on the client end as below? Please check the VPN adapter details and ensure proper security setting is configured in it.
Also, what does the SonicWall log say?
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thank you @Saravanan
My VPN adapter security settings is:
Log from the firewall:
I don't know why it is saying MS-CHAP in the log. It should be version 2 right?
Another question, is it possible to enable EAP on the firewall? I have not seen an option for it.
Hi everyone
I got the exact same problem with my set up L2TP VPN and LDAP Authentication.
Are there any solutions for this problem?
Regards
Michael
According to this article: https://www.sonicwall.com/support/knowledge-base/configuring-l2tp-authentication-protocols-to-use-ldap-instead-of-radius-for-ios-ipad-iphone-ipod-t/170503814012320/
"Active Directory does not support CHAP, MS-CHAP, or MS-CHAPv2"
Putting PAP at the top and changing the VPN to use PAP worked for me.