locked
Windows 2008 R2 VPN not authenticating any users RRS feed

  • Question

  • I've created my own lab setup as well as the Step By Step guide for windows 2008 r2 with NAP and VPN.

    In neither case will authentication work for the VPN client (windows 7)

    Topology:

    DC1 (Domain Controller, DNS server, GPOs)

    - NAP GPO

    - SHV GPO

    - EAP enforcement GPO

    NPS1 (Network Policy Server, RADIUS Server)

    - NAP configured as per step by step guide

    VPN1 (RRAS server, RADIUS Client)

    - VPN1 configured as per step by step guide.

    Client1 (VPN Client windows 7)

    - Connected to local server using Username/password/Domain (using local server name)

    - Connected to vpn server using domain credentials 

    VPN1 and Client one are on an fake internet segment.

    No matter what I do I can not get the server to authenticate me and establish a VPN tunnel.

    I keep getting a "re-enter you user name and password" message. I have confirmed the username and password are correct. I've changed the username/password still nothing.

    Tuesday, August 6, 2013 5:39 PM

Answers

  • Possible Causes:
    One of the prime causes for the above error  is: when the *only* allowed authentication protocol configured on VPN server (or Radius server) is MS-CHAP and the VPN client is Vista or above OS platform (like Windows7). Note: due to security reasons MS-CHAP was removed from Vista and above OS platform and hence the connection fails.

    Error 812 comes when Authentication protocol is set via NPS (Network Policy and Access Services).

    Possible Solution:
    1. Configure a more secured authentication protocol like MS-CHAPv2 or EAP based authentication on the server – which matches the settings on the client side.
    2. To re-import the NPS Policies and stop/start NPS.
    3. Add domain name such as domain\Username.


    Best Regards
    Jeremy Wu

    • Marked as answer by Jeremy_Wu Thursday, August 22, 2013 1:05 AM
    Sunday, August 11, 2013 2:05 PM

All replies

  • This is the error on the VPN server (RADIUS client).

    CoId={051E4CD1-BFA5-498D-9F44-8354E2DB9010}: The following error occurred in the Point to Point Protocol module on port: VPN3-127, UserName: CONTOSOT\user1. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

    Tuesday, August 6, 2013 6:22 PM
  • Tested with Enterprise Administrator and domain administrator (user1)

    Changed Dailin properties to ALLOW and managed by network policy no difference.

    Tuesday, August 6, 2013 6:24 PM
  • I've registered the VPN NPS and the NPS standalone server in Active Directory ... nothing.

    Tuesday, August 6, 2013 7:13 PM
  • I've got the problem down to PEAP authentication. I just can't find the issue.
    Wednesday, August 7, 2013 5:40 PM
  • Possible Causes:
    One of the prime causes for the above error  is: when the *only* allowed authentication protocol configured on VPN server (or Radius server) is MS-CHAP and the VPN client is Vista or above OS platform (like Windows7). Note: due to security reasons MS-CHAP was removed from Vista and above OS platform and hence the connection fails.

    Error 812 comes when Authentication protocol is set via NPS (Network Policy and Access Services).

    Possible Solution:
    1. Configure a more secured authentication protocol like MS-CHAPv2 or EAP based authentication on the server – which matches the settings on the client side.
    2. To re-import the NPS Policies and stop/start NPS.
    3. Add domain name such as domain\Username.


    Best Regards
    Jeremy Wu

    • Marked as answer by Jeremy_Wu Thursday, August 22, 2013 1:05 AM
    Sunday, August 11, 2013 2:05 PM
  • Hi,

    I would like to check if there is any update.

    Thanks.


    Best Regards
    Jeremy Wu

    Friday, August 16, 2013 9:16 AM