?
Solved

Watchguard PPTP VPN using Microsoft NPS as Radius with Smart Card auth

Posted on 2011-10-04
9
Medium Priority
?
2,015 Views
Last Modified: 2012-05-12
We have configured a Watchguard PPTP vpn solution that uses RADIUS (Windows NPS) to authenticate users.  I now want to be able to integrate smart cards into this solution using the EAP Smart Card authentication provided in NPS.  We have RAAK smart cards that use the windows base crypto package and they are working great to allow users to login to their computers.

However, when I try to configure NPS to use these for authentication and configure the client to use the smart card, I get "Error 628: The connection was terminated by the remote computer before it could be completed." when I try to login.  I am prompted to insert my smart card and pin and receive the error message shortly after the "verifying username/password" phase.  If I switch back to using username/password credentials from the same machine with the same connection, it works just fine.

Any ideas?
0
Comment
Question by:sadokun
  • 5
  • 4
9 Comments
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36915037
So if i understand correctly you want to uthenticate to the WG using smartcards?
I'm not sure if wg supports this.

However: during logon, can you see any denied traffic on the firewall?
or debug logs?
0
 
LVL 3

Author Comment

by:sadokun
ID: 36915044
I'm not really authenticating to the Watchguard necessarily as the WG is forwarding authentication requests on to the RADIUS server for authentication.

I definitely am not seeing denied traffic coming from the external IP on the firewall, I wish that were the case.  I am also not seeing any security events in the logs for the RADIUS server.

Which debug logs are you referring to?  Something on the client machine like the RASMAN logs, or something RADIUS server-side?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36915066
you can st the WG log lvel to debug for auth./VPN , maybe this will give you more insight.
and check this;
theres something about smrtcard and vpn, but i'm on a mobile and not going to search this 10mb PDF :)
watchguard.org/help/docs/edge/10/v101edgeuserguide.pdf
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 3

Author Comment

by:sadokun
ID: 36915087
I'm trying to figure out how to turn on that debug level on the WG.  I turned on the allowed packet logging for PPTP connections and now I can see that it is passing the packets through, but I'm still not seeing any WG PPTP auth messages.

I saw that PDF earlier and it doesn't really say anything other than press next through the windows vpn client smart card screen unfortunately.
0
 
LVL 14

Accepted Solution

by:
setasoujiro earned 2000 total points
ID: 36915096
ok i'm sorry then for the PDF :)
the logging:

in system manager go to setup-->Loggin-->diagnostic log level -->vpn --> debug
and the same for all other services you want to see logs for, then save
0
 
LVL 3

Author Comment

by:sadokun
ID: 36915108
Excellent, thank you for that!  I'm looking through the log now and am seeing some potential issues, and it looks like I may need to call Watchguard.  Looks like it is trying to force usage of Chap-V2 instead of the EAP it is receiving.  My best guess at this point is that its forwarding the EAP packets like a chap request and RADIUS is none-too-happy about it.
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36915124
To be honest i never used the SC solution, icw Watchguard that is.

So i think i can't be of more help now , but just raise a call with WG they are fast to respond normally.
0
 
LVL 3

Author Closing Comment

by:sadokun
ID: 36915126
Thank you very much for pointing me in the right direction :)
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36915132
No problem, hope you get it solved :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question