Unable to successfully get L2TP and Windows client working
roberts90
Newbie ✭
in VPN Client
Hi guys,
We currently use NetExtender SSL VPN client which works for the most part, but I'd also like to have the option for L2TP with a pre-shared key.
I've followed the guides and set it up a couple times now, but I still cannot get it to work. It gets as far as the RADIUS server granting access, but once it hands it back over to our sonicwall it seems to reject it.
The logs are saying 'User login denied - User has no privileges for login from that location' but I am really confused what location it's referring to or what settings I need to find to update.
Any help is greatly appreciated.
Category: VPN Client
0
Answers
Hi @ROBERTS90,
Thank you for visiting SonicWall Community.
The error reported by you is thrown by the SonicWall when a user tries to login to the firewall's GUI page.
Are you trying to login to the firewall with L2TP user account? If not, please explain your scenario in brief.
Please make sure you have below configuration for L2TP present on the SonicWall as part of configuration check.
Please let us know.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thank you for getting back to me. It actually shows that error when I attempt to VPN using the windows client via L2TP. I'm not actually attempting to login via the firewall's GUI page which is why I am struggling to find the answer to my problem :)
Basically the windows client is doing L2TP with pre-shared key as per that second guide you've shown. However, instead of using the Trusted Users group (Which works well for local users) I am using an LDAP group that we also use for SSL VPN (Which works well).
So I can see in the logs of the firewall my attempt to login via the LDAP user, it gets passed over to RADIUS server which I can see in the logs it grants the user access, but after that the Sonicwall comes up with an error saying login from location not allowed.
Edit: The windows client says that the username or password may be incorrect which is why it cannot connect. That's why I am looking at the logs on the sonicwall to try and diagnose what's happening
Sorry, I should add that I've done another test now and had a look at all events at that time. Previously I was just searching the logs on my username.
I can see at the time of the event the following was also logged:
PPP: MS-CHAP authentication failed - check username / password
L2TP Server: RADIUS/LDAP reports Authentication Failure
This is a bit more informative. However, the RADIUS server is still saying 'Network Policy Server granted access to a user.' but this is for MS-CHAPv2
When doing the RADIUS checks on the sonicwall, it works successfully except for just 'CHAP' which is fine as this isn't one that I want to use. I'm a bit confused but I think I can do a bit more research with the new found information.
Hi @roberts90,
Thanks for the detailed and additional info.
I would suggest you to ensure MSCHAPv2 is listed top in the preferred order for L2TP VPN.
What happens when you test the L2TP VPN using a local user account created on the SonicWall? Could you please try this scenario and let me know? Also, how are you using the AD user groups authentication for SSLVPN on the SonicWall? Have you imported the user(s) or user groups on the SonicWall from AD and then using it for SSLVPN authentication?
With answers to these, I can help you better. 🙂
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks for getting back to me. I can confirm that MSCHAPv2 is at the top. I have ordered it as 1. MSCHAPv2, 2. MSCHAP, 3. CHAP, 4. PAP.
Local users connect perfectly fine, so I know the L2TP server itself is working fine, it just appears to be authentication to LDAP/RADIUS of some sort.
Users are not imported into the Sonicwall, however some groups are. The 'SSLVPN Services' user group then has a few members as LDAP groups. One of the LDAP groups - 'vpnusers' is our main one which I am using for the L2TP authentication as well. I have attempted just using 'SSLVPN Services' group for L2TP Authentication, but I run into the same issue.
I'm very confused at how I can further troubleshoot this as I sadly keep going in circles.
Ok, I've finally actually figured out what part of this process is broken after spending hours sadly
Setting was under RADIUS configuration - RADIUS users - 'Mechanism for looking up user group membership for RADIUS users:
This was set to 'Use RADIUS Filter-Id attribute on RADIUS server' which was in another guide I used previously. I changed this to Use LDAP to retrieve user group information and it then lets me connect.
Very frustrating as the logs didn't indicate that the user didn't have permission other than the location was not allowed.
I'm not entirely too sure why the RADIUS Filter-Id doesn't work, but LDAP is still perfectly fine for us so I shall leave this as is.
Hopefully this thread might be able to help others that might be struggling :)
Hi @ROBERTS90,
Thanks for sharing the fix. We really appreciate your efforts in looking into this and sharing the experience with us. Hope you are all set and can feel relaxed now.
Thank you again and have a good one 🙂
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services