Link to home
Create AccountLog in
Avatar of Carol Chisholm
Carol ChisholmFlag for Switzerland

asked on

Windows 2008 R2 SP1 Sonicwall VPN RADIUS

Trying to get a TZ210 enhanced to authenticate global VPN clients agains a Windows 2008 R2 SP1 NPS server.
I have tried all these:
https://www.experts-exchange.com/questions/26198704/Sonicwall-VPN-with-SBS-2008-Radius.html
http://www.navelfluff.org/2010/02/11/sonicwall-vpn-with-radius-authentication/
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6591

I have tried turning off the Windows firewall, still get "server timout" on the Sonicwall RADIUS test.

If I have the windows firewall on despite having opend ALL ports and ALL protocols between the two IP addresses both inbound and outbound I get packets dropped by the filtering platform
The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -
The Windows Filtering Platform has blocked a packet.

Application Information:
      Process ID:            0
      Application Name:      -

Network Information:
      Direction:            Inbound
      Source Address:            10.141.1.251 (Sonicwall)
      Source Port:            4015
      Destination Address:      10.141.1.128 (NPS server)
      Destination Port:            1812
      Protocol:            17

Filter Information:
      Filter Run-Time ID:      89027
      Layer Name:            Transport
      Layer Run-Time ID:      13

Network Information:
      Direction:            Outbound
      Source Address:            10.141.1.128 (NPS server)
      Source Port:            0
      Destination Address:      10.141.1.251 (Sonicwall)
      Destination Port:            0
      Protocol:            1

Filter Information:
      Filter Run-Time ID:      89029
      Layer Name:            ICMP Error
      Layer Run-Time ID:      32
Avatar of mmorel
mmorel

Hi, have you tried to enable your NPS server ni Active Directory?

Open NPS service, right click NPS (local), click Enable server in Active Directory.

That solved the problem for me.
Avatar of Carol Chisholm

ASKER

Ah that is very interesting, I will try it in the morning.
Yes. I'll be please to read your feedback. Thanks.
I don't have that option: right click on NPS (local) just gives me General and Ports.
So I guess it is already AD integrated.
However I have tried to conenct from another RADIUS client and I cannot get a connection, so I guess it is the NPS.
So I have an old 2003 IAS server and a new 2008 R1 SP1 NPS server.

I have Sonicwall and a radius test client.
Both the Sonicwall and the test client can authenticate against the 2003 server.
Neither can authenticate against the 2008 R2 SP1 NPS.

I have nothing in system32\logfiles excelt when I restart NPS.
 Any ideas?
In your Win 2008 R2, you say you see general and port tabs. That's in the properties menu option when you right click NPS (local) - Properties.
My suggestion is to right click NPS (local) - Enable server in Active Directory. Not properties.

This is the menu options I see when I right click NPS (local). (my server is not in english, so please forgive if I miss translation) :
Import configuration
Export configuration
Start NPS service (grayed)
Stop NPS service
Enable server in Active Directory (grayed)  <--- this is the option you might try
Properties
Help

I don't have that option. I think it is already integrated in AD.
I made a new test server, and at first I had the option, but after I selected it it went away.
NPS-AD.JPG
Okay I see.
Have you tried to select all but the last two authentication methods in your security policy.
CHAP and PAP, SPAP are not selected by default.
I've corrected a bug with that too.
  User generated image User generated image
Yes but I don't want unencrypted authentication. Nor do I want CHAP as it is no longer secure.
I understand.
Still you may try it for debugging purposes. If it works, then you know what's going on.
ASKER CERTIFIED SOLUTION
Avatar of Carol Chisholm
Carol Chisholm
Flag of Switzerland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Great to know it works. I'll keep this solution in mind for future reference.
Thank you for the feedback !!

role was corrputed.