On May 11, 2021, at 8:05 AM, Pisch Tamás <pischta@gmail.com> wrote:
Sorry, it's me again. As I mentioned, I set up SoftEther with RADIUS authentication. It works strangely. I can connect from Windows10 with the built-in client... *once*, and when I disconnect and try to connect again, I get "The PPP link control protocol was terminated" error. the recommended solution didn't work: https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cann...
If only there was some kind of debug output you could look at, to see what the server is doing.
Ok, I then tried the SoftEther client. It works if I write DEFAULT Auth-Type := LDAP
Which forces ALL requests to use LDAP. This isn't what you want.
in the users file. But when I try to connect with the built-in Windows client with this setting, on the server side I see a big warning: ldap: WARNING: You have set "Auth-Type := LDAP" somewhere (0) ldap: WARNING: ********************************************* (0) ldap: WARNING: * THAT CONFIGURATION IS WRONG. DELETE IT. (0) ldap: WARNING: * YOU ARE PREVENTING THE SERVER FROM WORKING (0) ldap: WARNING: ********************************************* (0) ldap: ERROR: Attribute "User-Password" is required for authentication
See? It doesn't work.
Ok, I force the ldap auth, but without it, the authentication doesn't work.
The WHAT authentication doesn't work? VPN authentication? The solution to that is simple. Write a policy rule which detects VPN access, and then sets "Auth-Type := LDAP" for that. What is that policy supposed to be? We don't know. We don't have access to your VPN server, and you're not posting the debug output. You could also try reading sites-available/README. That explains how virtual servers work, in connection with clients. So you could set up one virtual server for VPN, and another virtual server for other clients.
As I understand, Freeradius goes through on all methods until it finds one working.
No.
But without the mentioned default setting, it doesn't work. How can I use the SoftEther client without it? I can connect with it at least. According to the SoftEther documentation ( https://www.softether.org/4-docs/1-manual/2._SoftEther_VPN_Essential_Archite...) it uses PAP authentication, but I can establish the vpn only with forced LDAP authentication. Why?
I have no idea. You're not posting the debug output, so we can't tell what's going on. If you're going to configure a complex system such as RADIUS, you'll need to understand it. It's not just "follow some docs and make random changes to the config". You have to understand the difference between PAP and MS-CHAP, along with a host of other issues. Alan DeKok.