Link to home
Start Free TrialLog in
Avatar of sadokun
sadokun

asked on

Watchguard PPTP VPN using Microsoft NPS as Radius with Smart Card auth

We have configured a Watchguard PPTP vpn solution that uses RADIUS (Windows NPS) to authenticate users.  I now want to be able to integrate smart cards into this solution using the EAP Smart Card authentication provided in NPS.  We have RAAK smart cards that use the windows base crypto package and they are working great to allow users to login to their computers.

However, when I try to configure NPS to use these for authentication and configure the client to use the smart card, I get "Error 628: The connection was terminated by the remote computer before it could be completed." when I try to login.  I am prompted to insert my smart card and pin and receive the error message shortly after the "verifying username/password" phase.  If I switch back to using username/password credentials from the same machine with the same connection, it works just fine.

Any ideas?
Avatar of setasoujiro
setasoujiro
Flag of Belgium image

So if i understand correctly you want to uthenticate to the WG using smartcards?
I'm not sure if wg supports this.

However: during logon, can you see any denied traffic on the firewall?
or debug logs?
Avatar of sadokun
sadokun

ASKER

I'm not really authenticating to the Watchguard necessarily as the WG is forwarding authentication requests on to the RADIUS server for authentication.

I definitely am not seeing denied traffic coming from the external IP on the firewall, I wish that were the case.  I am also not seeing any security events in the logs for the RADIUS server.

Which debug logs are you referring to?  Something on the client machine like the RASMAN logs, or something RADIUS server-side?
you can st the WG log lvel to debug for auth./VPN , maybe this will give you more insight.
and check this;
theres something about smrtcard and vpn, but i'm on a mobile and not going to search this 10mb PDF :)
watchguard.org/help/docs/edge/10/v101edgeuserguide.pdf
Avatar of sadokun

ASKER

I'm trying to figure out how to turn on that debug level on the WG.  I turned on the allowed packet logging for PPTP connections and now I can see that it is passing the packets through, but I'm still not seeing any WG PPTP auth messages.

I saw that PDF earlier and it doesn't really say anything other than press next through the windows vpn client smart card screen unfortunately.
ASKER CERTIFIED SOLUTION
Avatar of setasoujiro
setasoujiro
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sadokun

ASKER

Excellent, thank you for that!  I'm looking through the log now and am seeing some potential issues, and it looks like I may need to call Watchguard.  Looks like it is trying to force usage of Chap-V2 instead of the EAP it is receiving.  My best guess at this point is that its forwarding the EAP packets like a chap request and RADIUS is none-too-happy about it.
To be honest i never used the SC solution, icw Watchguard that is.

So i think i can't be of more help now , but just raise a call with WG they are fast to respond normally.
Avatar of sadokun

ASKER

Thank you very much for pointing me in the right direction :)
No problem, hope you get it solved :)