Jump to content
RESET Forums (homeservershow.com)

VPN user can't login after having tested EAP-mschap v2


nisse99
 Share

Recommended Posts

First of all hi! New user here! Can't say that I'm any good with IT but I get around the basics...

Anyways I have Win 12 Essentials and have had it up and running for quiet a while with workgroup setup for a laptop and desktop computer. It's been working great with home network, remote desktop and vpn. I have two users I primarily use, administrator and a standard user account.

The last couple of days I've been setting up a SSTP client on my raspberry pi running debian (yeah that was scary as I've been strict windows user all my life). I got it to work but as I was experimenting with the VPN I read that I should use EAP-MSCHAP v2 instead of just regular MS-chapv2. So I installed the NPS and edited the network policy to use EAP-MSCHAP v2. I tried logging on from my laptop through VPN with the standard user and it worked! However I wasn't able to set up the SSTP client for linux with the EAP. Therefore I went back to regular MS-chapv2 as I really need the VPN service on the raspberry pi (this runs a Kodi mediacenter that I want to connect remotely to my server).

This is where the problem begun. After reverting back I couldn't log into the VPN neither on my windows7-laptop or the raspberry pi. I have tried everything within NPS and googled like crazy. After extensive troubleshooting I realized that this only applies for the standard user. If I use the administrator credentials it works. Next I tried to create a new user (standard) for VPN access within the dashboard and VPN works for this user as well.

They have the exact same permissions in AD users and group membership that is used with the network policy. I tried changing the password for my standard user, I tried removing it and adding it again, but the problem still remains. I can't understand why my user seems locked out. Note it's just VPN affected. Remote desktop and network folders are available for that user. Did the EAP- login somehow lock that user out from VPN without it? Note enabling EAP again doesn't work either for the user.

The error code given below. The same error code is given regardless if entering wrong password, trying to connect while the user was removed or when all settings are correct.


Error 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Would appreciate any suggestions! It's not the biggest of problems as I can just set a new user only to have VPN access but I still want to solve this...

Link to comment
Share on other sites

Try removing and re-creating the VPN connection on Windows 7, I know the issue you are talking about, and it can be corrected with connection method change on the client, but I will have to see if I can find my reference information for fixing it as I may have removed it a I have no Win7 clients anymore

Link to comment
Share on other sites

I wish that this was the solution but I have a hard time seeing it since trying to connect from the raspberry pi sstp-client also fails giving a dialin error in the log. So it seems to be a server sided problem?! Or does the windows7 somehow have a connection still that locks the server to not apply the policy in some way which then also affects the raspberry pi?

Link to comment
Share on other sites

The theory here is let's start with what has been a basic issue in the past for me, and utilise that to troubleshoot the rest of the problems.

 

Thinking about it quickly, check your NPS rules, are they allowing authentication, and if they do allow the authentication, are they allowing the chap only method or do they require EAL

Link to comment
Share on other sites

NPS:

Policy enabled

Grant access if connection matches this policy

(ignore user account dial-in properties is unchecked)

type: remote access server (vpn-dialup)

conditions: usergroups ra_allowvpnaccess   (in which admin, standard user is both part of)

constraints: none is selected in the EAP box, under less secure auth methods MS-chap-v2 is the only one enabled

 

What I find strange is that the policy applies to the whole group and not separate users... and they are all part of the group yet it works for the admin and if I create a new user, but not for the standard user....

Link to comment
Share on other sites

Fixed by simple disabling and reenabling the vpn in the dashboard users. I don't really understand how this worked as I had removed the user from the vpn access group in ad and readded before, and deleted the whole user and readded before to no success. Seems to have been some lock in situation that was fixed by probably the most easy solution of them all! Anyway thank you!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...