Link to home
Start Free TrialLog in
Avatar of FDC2005
FDC2005

asked on

VPN Connection error 812 when setting up RADIUS for Azure Multi Factor Authentication

I set up a clean Windows Server 2012 R2 machine as a Domain Controller with a fixed IP on my network.  I used this checklist to configure my VPN: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/.  Testing the VPN connection using Windows Domain I had no issues.

Then I installed Azure Multi Factor authentication, and set up my RADIUS configuration using the following checklist: https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-radius/. On my server, I opened Routing and Remote Access and set the Security authentication provider as "RADIUS" and configured accordingly.

Now, when I try to VPN to my server, I get an error 812 "812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.". I've tried numerous checklists online and could not find a solution.  The event viewer doesn't provide much information either besides giving me the name of the user attempting to connect.

On the connecting client, under VPN properties, Security, I tried setting "allow these protocols" and "MS Chap v2".  I also tried selecting PPTP as the VPN type rather than automatic. Still the same issue occurs.

I appreciate your help.
Avatar of btan
btan

May want to check out this on top of the Azure reference as there seems to be a registry to be set and use of sstp instead
The issue seems to be with PEAP/EAP/MS-CHAP-v2 authentication.  I was able to get SSTP/MS-CHAP-v2 without PEAP/EAP working with Azure MFA.

RRAS RADIUS --> Azure MFA RADIUS client, Azure MFA RADIUS Target --> NPS RADIUS

VPN client must use this registry setting to extend authentication time, otherwise you'll be fighting to answer the Azure MFA call before the VPN client times out

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 30, as suggested here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/577ed20c-ba0f-442a-9d12-45438e3757db/phonefactor-with-rraswindows-server-2003-vpn-client-timeout-after-20-seconds-too-fast?forum=winserverNAP

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you'll be hit with an unhelpful error.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/7ea7e6bb-52f8-4549-bea1-3662b4046ee2/rras-sstp-vpn-with-radius-and-multifactor-authentication?forum=windowsazureactiveauthentication

Further, there is need for computer cert installed in VPN client machine
On the remote VPN client:
Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.

If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.
https://technet.microsoft.com/en-us/library/dd458982.aspx
ASKER CERTIFIED SOLUTION
Avatar of FDC2005
FDC2005

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for sharing. Apparently this is not new in the MS forum as well whrn setting up VPN having to get MFA and being a DC at the same time failed. It needs to be separated. No official MS documentation..but seems like it is more than what the public should know that is hampering this undocumented issues.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/ed6fc7be-5fb6-4314-957e-44827cc53895/windows-server-2012-r2-vpnrras-mfa-fails-with-error-812-does-mfa-require-its-own-host?forum=windowsazureactiveauthentication
I hope the last post helps to give a headups to the community. Thks
Avatar of FDC2005

ASKER

For more information, see our posting on Microsoft: "Windows Server 2012 R2 + VPN(RRAS) + MFA fails with Error 812. Does MFA require its own host?"
thanks for sharing - I believe you meant my last post link. Hope it has assisted.
Problem: On Windows Server 2012 R2 promoted to domain controller, using VPN (RRAS) configured for Azura MultiFactor Authentication (MFA) as a RADIUS server, VPN connection attempts fail immediately with Error 812. If we configure RRAS to use the domain rather than MFA, VPN connection attempts succeed. We can use NTRadPing to talk to the MFA RADIUS server, so we know it is alive and working. But as soon as we point RRAS at MFA, VPN connection attempts fail with Error 812. There are no MFA log entries when this occurs, it looks like RRAS never even attempts to talk with MFA.

 Workaround: Move MFA to its own host, e.g. a VM running Windows 7. Once we did this, VPN connection attempt authenticate via MFA and life is good.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/ed6fc7be-5fb6-4314-957e-44827cc53895/windows-server-2012-r2-vpnrras-mfa-fails-with-error-812-does-mfa-require-its-own-host?forum=windowsazureactiveauthentication
Avatar of FDC2005

ASKER

Yes - sorry - I didn't realize you were pointing to the same post when I made my link. That was my writeup on the Microsoft website of the workaround we found.

thanks!
-Frank.
Noted so I have thought my last post can ne highlighted as assisted instead : )
Avatar of FDC2005

ASKER

Yes - certainly - thank you!
-Frank.
Thanks Frank :)