UPDATE: L2TP VPN with Windows AD Authentication

VPN
1

Original Post

So after some trial and error I finally have this working, and I have a full write up to share with y’all to save the headache for the next guy. Note: This is tested and confirmed functional on latest 5.9.29 controller and 4.4.29 and higher USG firmware. This has been deployed in production on Windows Server 2012R2 and 2016. Once I can get a trial set up for WS 2019 I will verify but 99.999% sure it will work as that’s basically WS v1803 wrapped up for LTSB. This is the most basic config necessary to get everything running, you can customize the accounting section and other settings based on your environment. Anyways, on to the meat and potatoes…

EDIT: Google Doc link to fix formatting

(Also I apologize for formatting… Converted from a OneNote doc didn’t go so well…)

On Primary Domain

Controller:

  1. Add Roles and Features

A. Network Policy

and Access Services

B. Accept all RSAT tools

  1. In AD Users and Computers

A. Create Security

Group called “VPN Users”

B. Add users to this group to

approve remote access

  1. In Network Policy Server:

A. Radius Clients

and Servers

i. New Radius

Client

a. Friendly Name:

USG

b. IP Address: Router IPv4

address

c. Shared Secret, set

Manually (save this!!!)

B. Policies

i. Connection

Request Policies

a. Name: UniFi VPN

b. RAS Type: Unspecified

c. Conditions:

i. NAS IPv4

Address: USG Address

ii. Network Policies

a. Name: UniFi VPN

b. Access Permission: Grant

Access

c. NAS Type: Unspecified

d. Conditions:

i. Windows

Groups: DOMAIN\VPN Users

e. Constraints:

i. Authentication

Methods: MS-CHAP v2

(uncheck

all others)

f. Settings:

i. Encryption

  1. Only check

Strongest (128-bit)

C. Accounting (Optional)

i. Configure

Accounting

a. Write to log

file (txt) or SQL

  1. In UniFi Controller:

A. Settings

i. Profiles:

a. RADIUS - Add

New RADIUS Profile

  1. Name: (Name of

Primary Domain Controller)

  1. RADIUS Auth Server: PDC

IPv4 Address

a. Use Shared

Secret from 3a.

  1. Check Enable Accounting

  2. RADIUS Accounting Server:

PDC IPv4 Address

a. Use Shared

Secret from 3a.

i. Networks

a. Create New

Network

  1. Name: Remote

User VPN

  1. Purpose: Remote User VPN

  2. VPN Type: L2TP Server

  3. PSK: Shared Secret (save

this!!!)

  1. GW/SN: Subnet not

currently in use, space large enough for all concurrent users

  1. Name Server: Manual - PDC

IPv4 address

  1. RADIUS Profile: Profile

from 4a.

  1. Check "Require

MS-CHAP v2"

  1. Save and Apply

  1. Client-Side Setup Steps:

A. Verify user is a part of “VPN Users” in AD

B. On client machine, add VPN

Profile

i. VPN Provider:

Windows (built-in)

ii. Connection Name: COMPANY

NAME ABBREVIATION

iii. Server Address: Public IPv4

Address

iv. VPN Type: L2TP with

Pre-Shared Key

v. PSK: From 4a.

vi. Sign In Type: Username and

Password

vii. Use DOMAIN\(username) and AD Login

viii. Check "Remember

password"

C. Open Network & Sharing

Center

i. Change adapter

settings - COMPANY NAME ABBREVIATION

ii. Security Tab

a. Click

“Allow these protocols”

b. Only check MS-CHAP v2

c. Networking Tab

i. IPv4

  1. Use the following DNS Server

a. Primary Domain Controller IPv4 Address

  1. Advanced - DNS

Tab

a. DNS Suffix for

this connection:

i. Domain.local

  1. Connect to VPN and verify domain.local is pingable

That’s it! Feel free to message me for more specifics or with any questions regarding the configuration.

2

Thanks for this guide man. Really helped my out since I was on the same boat today and could not make it work.

Somehow I had some trial and error too and wanted to add that I had to make a change since I got an error (from the client side) while connecting.

Under NPS settings => Policies => Network Policies => (edit your profile) => Constrains => Authentification Methods => I emptied the list on EAP types and clicked MS-Chap-v2 only.

If I had MS-Chap-v2 on the list I could not connect.

Hope this help some soul out there too.

3

If you install and configure a certificate server, deploy certs to your machines, you can auth the machines prior to user login, this way you can still push policy when no user is connected.

4

This is the most comprehensive guide I’ve seen on this setup. I thought it might be useful feedback to add to the section when you’re creating the “Windows server Client Secret Key in NPS” that it needs to be shorter than the Windows Generated Key and it cannot include special characters . This might be obvious to others, but it was not to me. I spent hours trying to figure out why the link wasn’t working and it turned out that my key (created from a password generator) having special characters, was not allowing the Authorization through NPS to function. Hope this helps someone else down the line, as it was a huge waste of time.

5

Yes that is the setting I used as well, sorry if that wasn’t more clear in the write up. Once again, OneNote doesn’t play nice with Reddit formatting lol

6

Forgot to mention in this write-up, but you can also check the box when editing the adapter in Control Panel, to use currently logged on domain credentials, thus skipping the manually entered UN/PW.

7

NPS Server Certificate: Configure the Template and Autoenrollment

same as above with screen shots

https://supportforums.cisco.com/sites/default/files/legacy/5/5/8/89855-Deploy%20a%20CA%20and%20NPS%20Certificate%20Server.docx

Deploy Client Computer Certificates

https://technet.microsoft.com/en-us/library/cc731242(v=ws.10).aspx

802.1X Authenticated Wireless Deployment Guide

https://social.technet.microsoft.com/Forums/en-US/0fc559de-39a6-4d86-b3e5-1d373ef9d0a3/certificate-autoenrollment-group-policy?forum=winserversecurity