Active Directory authenticated VPN

Alan DeKok aland at deployingradius.com
Tue May 11 14:15:35 CEST 2021 

On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta at gmail.com> wrote:
> 
> Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS
> authentication. It works strangely. I can connect from Windows10 with the
> built-in client... *once*, and when I disconnect and try to connect again,
> I get "The PPP link control protocol was terminated" error. the recommended
> solution didn't work:
> https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-establish-dial-up-connection

  If only there was some kind of debug output you could look at, to see what the server is doing.

> Ok, I then tried the SoftEther client. It works if I write
> DEFAULT         Auth-Type := LDAP

  Which forces ALL requests to use LDAP.  This isn't what you want.

> in the users file. But when I try to connect with the built-in Windows
> client with this setting, on the server side I see a big warning:
> ldap: WARNING: You have set "Auth-Type := LDAP" somewhere
> (0) ldap: WARNING: *********************************************
> (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG.  DELETE IT.
> (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING
> (0) ldap: WARNING: *********************************************
> (0) ldap: ERROR: Attribute "User-Password" is required for authentication

  See?  It doesn't work.

> Ok, I force the ldap auth, but without it, the authentication doesn't work.

  The WHAT authentication doesn't work?

  VPN authentication?

  The solution to that is simple.  Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that.

  What is that policy supposed to be?  We don't know.  We don't have access to your VPN server, and you're not posting the debug output.

  You could also try reading sites-available/README.  That explains how virtual servers work, in connection with clients.  So you could set up one virtual server for VPN, and another virtual server for other clients.

> As I understand, Freeradius goes through on all methods until it finds one
> working.

  No.

> But without the mentioned default setting, it doesn't work. How
> can I use the SoftEther client without it? I can connect with it at least.
> According to the SoftEther documentation (
> https://www.softether.org/4-docs/1-manual/2._SoftEther_VPN_Essential_Architecture/2.2_User_Authentication)
> it uses PAP authentication, but I can establish the vpn only with forced
> LDAP authentication. Why?

  I have no idea.  You're not posting the debug output, so we can't tell what's going on.

  If you're going to configure a complex system such as RADIUS, you'll need to understand it.  It's not just "follow some docs and make random changes to the config".  You have to understand the difference between PAP and MS-CHAP, along with a host of other issues.

  Alan DeKok.

More information about the Freeradius-Users mailing list