VPN access issue

marin1466

7/18/24, 9:27 PM

==Summary==

I installed "Routing and Remote Access" role on Windows Server 2016 so I can use it as a VPN gateway(L2TP/IPsec with pre-shared key). The authentication is handled by a RADIUS server. On trying to connect a Windows 10 host to the VPN gateway I got "emphasized textThe remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol you selected is not permitted on the remote access server." error message.

==Troubleshooting==

I reviewed the event logs and found Event ID 20227:

"The user PC-1\Martin dialed a connection named VPN-Lan-1 which has failed. The error code returned on failure is 691."

Based on both error messages I did following:

Confirmed that the credentials are correct.
Confirmed that the shared key is correct.
Confirmed that the authentication methods match.
Applied the solution described here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication
The account is part of the group listed in the network policy.
Under "dial-in" the correct option is selected.

At that point I`m stuck. May I ask you for help?

0 + 6

vpn

windows-server-2016

marin1466

7/19/24, 11:06 AM

HI guys, I`m still looking for solution. thank you in advance.

marin1466

7/20/24, 6:19 PM

Hi, I went to active directory/users and computers/the user account properties/ dial-in tap and I switches from "Control access thought NPS access policy" to "allow access". After doing so, I was able to connect with no issue. It looks like during the authentication it ignores the network policy. Any idea how to fix it?

marin1466

7/20/24, 9:28 PM

So far I was able to confirm that the problem is somehow related with the network policy. For some reason the RADIUS does not validate it. If I choose "grand access" no issue at all. I`m researching and testing like crazy for the past 3 hours with no success. #desperate

marin1466

7/20/24, 9:37 PM

====EVENTS====== PC: The user PC-1\Martin dialed a connection named VPN-LAN-1 which has failed. The error code returned on failure is 691.

marin1466

7/20/24, 9:38 PM

Router: CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN3-127, UserName: lab.local\gmarkov. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

marin1466

7/20/24, 9:39 PM

DC(RADIUS): Network Policy Server denied access to a user. Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: VPN access issue

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.