?
Solved

PPTP VPN Radius Watchguard

Posted on 2009-03-30
6
Medium Priority
?
1,771 Views
Last Modified: 2013-11-16
Replace my 700x using WSG 7.3 with a 750e WSG 10.2 and Firewire. (Not a job for the faint at heart). Rebuilt and working Branch Office Tunnels and  other Policies Except PPTP VPN.

Need to get a few users connecting with PPTP access to our network. This was working on old unit.

Issue: you can connect but most times it takes 10-20 tries.

Nothing special, Raidus (IAS) very default (Even built a new IAS with same results). I spent 10 hrs reading and trying everything on this site and other.

IAS Does not fail to authenticate just nothing then after a bunch or tries it works:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

User xxxxx was granted access.
 Fully-Qualified-User-Name = xxxx.com/User Groups/xxxxxx/xxxxx, Michael
 NAS-IP-Address = 127.0.0.1
 NAS-Identifier = <not present>
 Client-Friendly-Name = Watchguard
 Client-IP-Address = 192.168.128.254
 Calling-Station-Identifier = <not present>
 NAS-Port-Type = <not present>
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WatchGuard
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>


Have tried to connect local on port 4100 but get an XML page error (did work a one time):

Invalid at the top level of the document. Error processing resource 'https://192.168.128.254:4100/?action=fw_logon&style=fw...

connect() err


GOOD and FAILED logs attached.

Very confused as to why is works sometimes.


PPTP-LOG.txt
0
Comment
Question by:uscost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 2000 total points
ID: 24025596
If you use PPTP without RADIUS [FB authentication] does this work.

Are you running RADIUS on win2000 server, in one of the posts it was found that RADIUS on win2000 had compatibility problems. User used 2003 in that case.

Internal authentication on port 4100 should work; we use it extensively to find if there is problem with authentication server communication with firewall.

Finally, are the logs are for the same user.

I see you have specified:
FILTER-ID set to PPTP-Users
AD group = XXXX\pptp users

This should not make any difference as you are able to authenticate; but can you also make AD group as PPTP-Users to make sure if that is not the issue.
Also, on WG you have added group as PPTP-Users.

Thank you.
0
 
LVL 1

Author Comment

by:uscost
ID: 24027468
Windows 2003.

Logs look the same for various users.

I am confused about the XML error when trying port 4100 internal. As i want to use that for testing between WG and Radius, any clues why that error pops up?


I have a ticket opened with WatchGuard on this (will give them a shot before I start trying other things) and will update.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24031631
Not sure; it can be a browser issue; please ensure you have Java enabled and try different browsers just to eliminate browser specific issue.

Please update at your convenience.

Thank you.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 1

Author Comment

by:uscost
ID: 24032610
Tried 3 different PC's IE6, IE7 and Firefox. The connection did work 1 time (I got the Watchguard Red login screen). Not sure what or why this is pulling an error.

Still waiting on WatchGuard.

BTW, dpk wal, issue I had with the old unit (would not show parts of some Web Pages) fixed with new Firewall.

Will continue to update on my issues, if anyone has a thought about the :4100 issue please post.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24032667
I think with the newer code of proxy, you might see the improvements. If you notice on 10.x version you get far better control of proxy than in earlier version.

Just to verify you do have Watchguard-Authentication policy in policy manager.

Thank you.
0
 
LVL 1

Accepted Solution

by:
uscost earned 0 total points
ID: 24108396
Issues resolved.

1. Reload of Firewall (back to factory) and reload configuration fixed port 4100 issue. (Watchguard support was helpful)

2. PPTP VPN issue fixed by power-cycling routers at clients site. 6 clients had issue (4 XP, 2 Vista) 4 clients had no issue. Routers power-cycled were Linksys or Dlink DSL/Cable routers. 5 clients were fixed with the power-cycle and 1 Vista client had to redo his VPN client.

Most of the users were connecting (without problems) to other VPN sites while the issue was going on with the Watchguard.

Watchguard Support was almost useless and they failed to read post, logs etc and it seems that I had to repeat myself over and over.

90% of any useful information was acquired by reading posts by dpk Wal on Expert Exchange so he deserves the pts.

Still clueless on why this issue happened but it is fixed so on to QOS.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question