RADIUS Authentication not working

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
genesys
Posts: 32
Joined: Tue Apr 14, 2020 10:50 pm

RADIUS Authentication not working

Post by genesys » Sun Apr 26, 2020 11:29 pm

I have a Windows Server 2019 with a 2016 AD running.
The server also has the NPS role installed with RADIUS.
The AD contains a User group called "SoftEtherVPNUsers" which contains user John Doe with username john.doe (among others)

I'm trying to setup the SoftEtherVPN such that it will allow all users that are part of this group to connect with VPN.

On the SoftEther VPN server:
-I created the * user and set RADIUS as authentication method.
-I've set the authentication server options to point to the RADIUS server (correct IP) and used the same shared secret as used in the radius client settings configured on the server
On the RADIUS server:
- I configured the SoftEtherServer as valid client, pointing to the SoftEtherServer as valid client using the softEtherServer's IP address as seen from the RADIUs server
- I configured Connection and Network Policies
- I enabled NPS firewall settings
usersettings.png
serversettings.PNG
RadiusClient.PNG
You do not have the required permissions to view the files attached to this post.

genesys
Posts: 32
Joined: Tue Apr 14, 2020 10:50 pm

Re: RADIUS Authentication not working

Post by genesys » Mon Apr 27, 2020 9:38 am

connectionpolicy.png
networkPolicy.png
firewall.PNG
You do not have the required permissions to view the files attached to this post.

xiaowei.zhang
Posts: 10
Joined: Sun Jun 28, 2020 10:28 am

Re: RADIUS Authentication not working

Post by xiaowei.zhang » Sun Jun 28, 2020 11:12 am

@genesys, do you use commercial version of SoftEther? I tried to add user for Radius authentication. unluckily, it tells me that radius and NT domain authentications are only valid for commercial version, rather than my opensource one.

BTW, where to buy commercial version?

Thank you very much.

Bairs
Posts: 3
Joined: Tue Aug 11, 2020 9:59 pm

Re: RADIUS Authentication not working

Post by Bairs » Tue Aug 11, 2020 10:27 pm

I think the concept of radius 2 factor authentication will help in solving your question which provides your group of users with reliable protection in the form of generating a one time password using the same radius protocol as the basis of protection. In turn, this approach to radius service makes it possible to eliminate such errors and ensure the reliability of encryption.

ethanolson
Posts: 50
Joined: Mon Dec 02, 2019 6:29 am

Re: RADIUS Authentication not working

Post by ethanolson » Tue Sep 08, 2020 10:09 pm

Mine's working but it took a lot to get there. First, if you don't have a proper RADIUS client config in NPS then you don't even get anything in the NPS logs [C:\Windows\System32\LogFiles]. Once that's done then the logs along with online help documents from Microsoft and the RADIUS standard can point to where things aren't jiving. I landed on this config last year and it's working great, but keep in mind that if using PEAP like I do then you need to have a trusted certificate (trusted by SoftEther as well) configured for PEAP on the NPS server. I did leave the other auth methods in place as a fallback and you'll see that below. Also, I got the NAS Port Identifier from the NPS logs in case you're wondering because I didn't ever see it in the SoftEther documentation and I don't ever dig into source code.



NPS - RADIUS Clients [SoftEtherServer]
----------
Enter your IP Address in the IP Address field instead of the hostname you entered [SoftEtherServer]

NPS - Connection Policies [SoftEther VPN Connection]
----------
Overview > Policy State: Enabled
Overview > Type of network access server: unspecified
Conditions > Client Friendly Name: SoftEtherServer
Settings > Authentication Methods: UNCHECKED 'Override network policy authentication settings'
Settings > Authetication: Authenticate requests on this server
Settings > Accounting: nothing configured
Settings > Attribute: nothing configured
Settings > Standard: nothing configured
Settings > Vendor specific: nothing configured

NPS - Network Policies [SoftEtherClients]
----------
Overview > Policy State: Enabled
Overview > Access Permission: Grant Access
Overview > Access Permission: Ignore user account dial-in properties
Overview > Type of network access server: Unspecified
Conditions > NAS Identifier: SoftEther VPN Server
Constraints > Authentication Methods: PEAP [EAP-MSCHAP v2], MS-CHAPv2, PAP
Constraints > Idle Timeout: nothing configured
Constraints > Session Timeout: nothing configured
Constraints > Called Station ID: nothing configured
Constraints > Day and time restrictions: nothing configured
Constraints > NAS Port Type: Virtual (VPN)

SoftEther Server's Config File
----------
bool RadiusUsePeapInsteadOfEap true

Post Reply