Thanks. My issues is the groups assigned to users in the Authpoint portal (in this case my self) seems to change from time to time when a sync from ldap AD are done (every 30 minuttes) when the user(s) are member of multiple groups in AD.
I think this happened after i upgraded AuthPoint gateways to 7.2.1-649.
This has caused my ikev2 connections to firebox to report "user not in right group" sometimes. For now i have fixed it by creating these groups on the FB and added it as a ikev2 authentication group as allowed.
Hi @Robert_Vilhelmsen
I'd suggest opening a support case so that we can look into what's happening. Users generally should not be swapping groups in the manner you're describing, and we'd need to look at the LDAP sync logs on the system to determine what's going on there.
Hi @Robert_Vilhelmsen the error "MS-CHAP-Error(20381698)" is likely just being piped in from the response of your NPS server.
I would suggest looking in your authentication logs on that server to see if there's any more info.
Ended up using tcpdump which showed me this error:
VSA: t=MS-CHAP-Error(2) l=16 val=\000E=691 R=0 V=3
I am not sure what caued it in the end, but i went over all settings in AuthPoint and NPS and at the same time got MS-chapv2 enabled in NPS, and now it is working from my Apple device.
The nps logs did not show anything interesting, nor did Fireware - only tcpdump gave me a useful message.
Which leads me to this question: I see Fortinet and Sonicwalls do show the actual NPS error message as above instead of Firewares error code 38 and MS-CHAP-Error(20381698).
Could this be a bug in Fireware do not interpret the returned NPS string correct?
I would not expect the firebox to pipe the exact output of the error into the firebox logs, mostly due to that being a potential vector for an exploit/abuse.
If NPS isn't logging it's own error, I'd suggest that the problem might lie there.
Comments
Hi @Robert_Vilhelmsen
At this time there are no plans on supporting multiple groups per user inside of AuthPoint.
-James Carson
WatchGuard Customer Support
@james.carson
Thanks. My issues is the groups assigned to users in the Authpoint portal (in this case my self) seems to change from time to time when a sync from ldap AD are done (every 30 minuttes) when the user(s) are member of multiple groups in AD.
I think this happened after i upgraded AuthPoint gateways to 7.2.1-649.
This has caused my ikev2 connections to firebox to report "user not in right group" sometimes. For now i have fixed it by creating these groups on the FB and added it as a ikev2 authentication group as allowed.
Hi @Robert_Vilhelmsen
I'd suggest opening a support case so that we can look into what's happening. Users generally should not be swapping groups in the manner you're describing, and we'd need to look at the LDAP sync logs on the system to determine what's going on there.
-James Carson
WatchGuard Customer Support
@james.carson
I´ll do.
Do you know what this error means when connection with ikev2 and authentication is done through Authpoint to MS NPS?
2023-09-07 21:35:20 admd ready to end authentication session with error code 38
admd RADIUS: retrieve VP:MS-CHAP-Error(20381698)
I have a feeling it has something to do with group membership, but the same user connecting with sslvpn works.
Hi @Robert_Vilhelmsen the error "MS-CHAP-Error(20381698)" is likely just being piped in from the response of your NPS server.
I would suggest looking in your authentication logs on that server to see if there's any more info.
-James Carson
WatchGuard Customer Support
I dig deeper. Thanks.
@james.carson
Ended up using tcpdump which showed me this error:
VSA: t=MS-CHAP-Error(2) l=16 val=\000E=691 R=0 V=3
I am not sure what caued it in the end, but i went over all settings in AuthPoint and NPS and at the same time got MS-chapv2 enabled in NPS, and now it is working from my Apple device.
The nps logs did not show anything interesting, nor did Fireware - only tcpdump gave me a useful message.
Which leads me to this question: I see Fortinet and Sonicwalls do show the actual NPS error message as above instead of Firewares error code 38 and MS-CHAP-Error(20381698).
Could this be a bug in Fireware do not interpret the returned NPS string correct?
/Robert
Hi @Robert_Vilhelmsen
It looks like we do supply some info if the log level is turned up to WARNING and the reason is a recognized one.
https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_8.pdf (see page 110-11)
I would not expect the firebox to pipe the exact output of the error into the firebox logs, mostly due to that being a potential vector for an exploit/abuse.
If NPS isn't logging it's own error, I'd suggest that the problem might lie there.
-James Carson
WatchGuard Customer Support