sadokun
asked on
Watchguard PPTP VPN using Microsoft NPS as Radius with Smart Card auth
We have configured a Watchguard PPTP vpn solution that uses RADIUS (Windows NPS) to authenticate users. I now want to be able to integrate smart cards into this solution using the EAP Smart Card authentication provided in NPS. We have RAAK smart cards that use the windows base crypto package and they are working great to allow users to login to their computers.
However, when I try to configure NPS to use these for authentication and configure the client to use the smart card, I get "Error 628: The connection was terminated by the remote computer before it could be completed." when I try to login. I am prompted to insert my smart card and pin and receive the error message shortly after the "verifying username/password" phase. If I switch back to using username/password credentials from the same machine with the same connection, it works just fine.
Any ideas?
However, when I try to configure NPS to use these for authentication and configure the client to use the smart card, I get "Error 628: The connection was terminated by the remote computer before it could be completed." when I try to login. I am prompted to insert my smart card and pin and receive the error message shortly after the "verifying username/password" phase. If I switch back to using username/password credentials from the same machine with the same connection, it works just fine.
Any ideas?
ASKER
I'm not really authenticating to the Watchguard necessarily as the WG is forwarding authentication requests on to the RADIUS server for authentication.
I definitely am not seeing denied traffic coming from the external IP on the firewall, I wish that were the case. I am also not seeing any security events in the logs for the RADIUS server.
Which debug logs are you referring to? Something on the client machine like the RASMAN logs, or something RADIUS server-side?
I definitely am not seeing denied traffic coming from the external IP on the firewall, I wish that were the case. I am also not seeing any security events in the logs for the RADIUS server.
Which debug logs are you referring to? Something on the client machine like the RASMAN logs, or something RADIUS server-side?
you can st the WG log lvel to debug for auth./VPN , maybe this will give you more insight.
and check this;
theres something about smrtcard and vpn, but i'm on a mobile and not going to search this 10mb PDF :)
watchguard.org/help/docs/e dge/10/v10 1edgeuserg uide.pdf
and check this;
theres something about smrtcard and vpn, but i'm on a mobile and not going to search this 10mb PDF :)
watchguard.org/help/docs/e
ASKER
I'm trying to figure out how to turn on that debug level on the WG. I turned on the allowed packet logging for PPTP connections and now I can see that it is passing the packets through, but I'm still not seeing any WG PPTP auth messages.
I saw that PDF earlier and it doesn't really say anything other than press next through the windows vpn client smart card screen unfortunately.
I saw that PDF earlier and it doesn't really say anything other than press next through the windows vpn client smart card screen unfortunately.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent, thank you for that! I'm looking through the log now and am seeing some potential issues, and it looks like I may need to call Watchguard. Looks like it is trying to force usage of Chap-V2 instead of the EAP it is receiving. My best guess at this point is that its forwarding the EAP packets like a chap request and RADIUS is none-too-happy about it.
To be honest i never used the SC solution, icw Watchguard that is.
So i think i can't be of more help now , but just raise a call with WG they are fast to respond normally.
So i think i can't be of more help now , but just raise a call with WG they are fast to respond normally.
ASKER
Thank you very much for pointing me in the right direction :)
No problem, hope you get it solved :)
I'm not sure if wg supports this.
However: during logon, can you see any denied traffic on the firewall?
or debug logs?