This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 66%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
==Summary==
I installed "Routing and Remote Access" role on Windows Server 2016 so I can use it as a VPN gateway(L2TP/IPsec with pre-shared key). The authentication is handled by a RADIUS server. On trying to connect a Windows 10 host to the VPN gateway I got "the remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol you selected is not permitted on the remote access server." error message.
==Troubleshooting==
I reviewed the event logs and found Event ID 20227:
"The user PC-1\Martin dialed a connection named VPN-Lan-1 which has failed. The error code returned on failure is 691."
Based on both error messages I did following:
At that point I`m stuck. May I ask you for help?
I deleted the network policy and then created a new one with. This time around I did specify any active directory group. I was able to connect the host to the default gateway with no issue. This make me think that Active Directory has something to do with the issue. I`m still looking for help.
Hi, I went to active directory/users and computers/the user account properties/ dial-in tap and I switches from "Control access thought NPS access policy" to "allow access". After doing so, I was able to connect with no issue. It looks like during the authentication it ignores the network policy. Any idea how to fix it?
#desperate
EVENTS:
PC: The user PC-1\Martin dialed a connection named VPN-LAN-1 which has failed. The error code returned on failure is 691.
VPN SERVER: CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN3-127, UserName: lab.local\gmarkov. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
DC(RADIUS):Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: LAB\gmarkov
Account Name: lab.local\gmarkov
Account Domain: LAB
Fully Qualified Account Name: lab.local/Remote Users/Georgi Markov
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 128.0.0.1
Calling Station Identifier: 128.0.0.2
NAS:
NAS IPv4 Address: 128.0.0.1
NAS IPv6 Address: -
NAS Identifier: ROUTER-1
NAS Port-Type: Virtual
NAS Port: 257
RADIUS Client:
Client Friendly Name: Router-1
Client IP Address: 10.0.0.1
Authentication Details:
Connection Request Policy Name: VPN for Remote Users
Network Policy Name: Connections to Microsoft Routing and Remote Access server
Authentication Provider: Windows
Authentication Server: DC-1.lab.local
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 3137
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 85%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Overall considering the above solutions first make sure that your network is not filtering Proxy/Anonymizers in your network, this usually happens through any content filtering in your network. You can simply switch on your mobile hotspot connect your desktop/laptop to it and check L2TP VPN to your server, it will work.