Watchguard PPTP VPN using Microsoft NPS as Radius with Smart Card auth

We have configured a Watchguard PPTP vpn solution that uses RADIUS (Windows NPS) to authenticate users.  I now want to be able to integrate smart cards into this solution using the EAP Smart Card authentication provided in NPS.  We have RAAK smart cards that use the windows base crypto package and they are working great to allow users to login to their computers.

However, when I try to configure NPS to use these for authentication and configure the client to use the smart card, I get "Error 628: The connection was terminated by the remote computer before it could be completed." when I try to login.  I am prompted to insert my smart card and pin and receive the error message shortly after the "verifying username/password" phase.  If I switch back to using username/password credentials from the same machine with the same connection, it works just fine.

Any ideas?
LVL 3
sadokunAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

setasoujiroCommented:
So if i understand correctly you want to uthenticate to the WG using smartcards?
I'm not sure if wg supports this.

However: during logon, can you see any denied traffic on the firewall?
or debug logs?
0
sadokunAuthor Commented:
I'm not really authenticating to the Watchguard necessarily as the WG is forwarding authentication requests on to the RADIUS server for authentication.

I definitely am not seeing denied traffic coming from the external IP on the firewall, I wish that were the case.  I am also not seeing any security events in the logs for the RADIUS server.

Which debug logs are you referring to?  Something on the client machine like the RASMAN logs, or something RADIUS server-side?
0
setasoujiroCommented:
you can st the WG log lvel to debug for auth./VPN , maybe this will give you more insight.
and check this;
theres something about smrtcard and vpn, but i'm on a mobile and not going to search this 10mb PDF :)
watchguard.org/help/docs/edge/10/v101edgeuserguide.pdf
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

sadokunAuthor Commented:
I'm trying to figure out how to turn on that debug level on the WG.  I turned on the allowed packet logging for PPTP connections and now I can see that it is passing the packets through, but I'm still not seeing any WG PPTP auth messages.

I saw that PDF earlier and it doesn't really say anything other than press next through the windows vpn client smart card screen unfortunately.
0
setasoujiroCommented:
ok i'm sorry then for the PDF :)
the logging:

in system manager go to setup-->Loggin-->diagnostic log level -->vpn --> debug
and the same for all other services you want to see logs for, then save
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sadokunAuthor Commented:
Excellent, thank you for that!  I'm looking through the log now and am seeing some potential issues, and it looks like I may need to call Watchguard.  Looks like it is trying to force usage of Chap-V2 instead of the EAP it is receiving.  My best guess at this point is that its forwarding the EAP packets like a chap request and RADIUS is none-too-happy about it.
0
setasoujiroCommented:
To be honest i never used the SC solution, icw Watchguard that is.

So i think i can't be of more help now , but just raise a call with WG they are fast to respond normally.
0
sadokunAuthor Commented:
Thank you very much for pointing me in the right direction :)
0
setasoujiroCommented:
No problem, hope you get it solved :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.