20,219 questions
User certificate issued by local Enterprise CA, where user is member of AD security group
Apple iOS IKEv2 VPN to Microsoft RRAS - Authetication issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 83%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
sulaimansylvester
1
Reputation point
We have a fully functioning VPN setup for our Windows 10 devices using IKEv2 to two load balanced Windows RRAS servers. Both servers works with Windows devices, but only one server works with iPhones devices.
The permutations result in error messages on the iPhone:
User authentication failed
Logs from Server 2016 Event Viewer:
CoId={8AB4D661-0463-0579-09F9-86933397C252}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: <Unauthenticated User>. Negotiation timed out
I have compared all the settings, but cannot figure out why one server is complaining about authentication. Please help.
Windows for business | Windows Server | User experience | Other
10 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 88%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Sebastian Cerazy 321 Reputation points2022-02-20T19:56:20.463+00:00 -
Gary Nebbett 6,216 Reputation points2022-02-20T20:31:58.21+00:00 Hello Seb,
So it looks like you are using PEAP-EAP-TLS on the Windows server. What does your (working) MacOS configuration look like?
As far as I know, PEAP-EAP-TLS is not supported under iOS - I just see support for EAP–TLS and EAP–MSCHAPv2. Can you show your the configuration that you created for iOS that you thought should support PEAP-EAP-TLS?
Gary
Sign in to comment -
-
Sebastian Cerazy 321 Reputation points
2022-02-21T18:02:32.6+00:00 OK, that is true, so I reconfigured NAS to also include EAP (Smart card or certificate)
But that still fails with error:
Authentication Details: Connection Request Policy Name: Virtual Private Network (VPN) Connections (Request) Network Policy Name: Virtual Private Network (VPN) Connections (Policy) Authentication Provider: Windows Authentication Server: SP-V-NPS.domain.local Authentication Type: EAP EAP Type: Microsoft: Smart Card or other certificate Account Session Identifier: 323336 Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.And RRAS VPN server states the same:
CoId={8C77F768-E985-E3B8-6378-820F497CC12A}: The user connected from xx.yy.zz.hh but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.As to IOS profile:
-
Gary Nebbett 6,216 Reputation points
2022-02-21T20:00:06.683+00:00 Hello Seb,
If sc_at.pfx contains a certificate suitable for use as client credentials in EAP-TLS (e.g. includes a Subject Alternative Name (SAN) extension containing the user principal name (UPN) of the intended user which maps to an existing user), then I would try Event Tracing for Windows (ETW) on the VPN server to obtain more insight into the problem.
Initially, I would suggest tracing the Microsoft-Windows-RRAS and Microsoft-Windows-WFP providers. Some of the resulting trace data is binary (even after formatting the ETW events) and needs a little knowledge of the EAP, TLS and X.509 protocols/standards to fully understand.
Gary
Sign in to comment -
-
Sebastian Cerazy 321 Reputation points
2022-02-22T06:34:29.793+00:00 Yes, certificate certainly is correct (same one is used on Windows machine for VPN connection)
OK, run the trace, tried to connect from IP 85.255.235.97
Text converted log attached176720-vpnserverrras.txt
I see it is [Microsoft-Windows-RRAS]Tunnel ID: 0x27, Failure reason: 812
Looking for this error, I see this but I do not have mismatch in Policy, it is correct
-
Gary Nebbett 6,216 Reputation points
2022-02-22T08:45:28.903+00:00 Hello Seb,
Looking more deeply at what is actually happening (and going wrong) still seems to be a sensible next step. Using event tracing on the Windows components (VPN and RADIUS servers) would be my choice in this setup (i.e. with iOS clients).
The techniques that I use to troubleshoot similar problems include:
- Event tracing.
- Debugging (e.g. attaching a debugger to IKEEXT, RasMan, etc.); can be used to view protocol elements in unencrypted form.
- Implementing "bare-bones" VPN implementations (both server and client) capable of negotiating a VPN connection (in the case of IKEv2, just enough code to establish a Main Mode association). This gives easy access to the unencrypted information received from the peer.
Gary
Sign in to comment -
-
Gary Nebbett 6,216 Reputation points
2022-02-22T12:06:11.66+00:00 Hello Seb,
For some reason, I always get this error when trying to send my response:
Access Denied
You don't have permission to access "http://learn.microsoft.com/answers/answers/496572/post.html" on this server.
Reference #18.9ffa6d68.1645531433.596af7Here is an image of the response:
Gary
-
Sebastian Cerazy 321 Reputation points
2022-02-22T12:53:36.25+00:00 But the same certificate works in both Windows & MacOS clients
What could be different about iOS?And which certificate would that be (I assume the user certificate explicitly specified in mobileconfig file)
Both (VPN server & user) certificates have entries in SAN, as per this
Seb
-
Gary Nebbett 6,216 Reputation points
2022-02-22T13:24:14.463+00:00 Hello Seb,
The serial number of the client certificate seems to consist of the bytes "40 00 00 7C 4D 00 14 C4 FA 30 38 6E B5 00 04 00 00 7C 4D" (the order might need to be reversed) - is this the certificate which works from Windows and MacOS clients?
I have some concerns about this statement in the link that you posted:
(c) Subject Alternative Name with DNS attribute that matches the subject CN (e.g., DNS Name=******@stevenjordan.net)
My understanding is that the UPN should be encoded as an "otherName" value in the SAN with a type-id of 1.3.6.1.4.1.311.20.2.3 (Microsoft UPN); not a dNSName.
GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id }If some other format works for you, then perhaps "second best" name formats are also accepted.
Gary
-
Gary Nebbett 6,216 Reputation points
2022-02-22T20:37:48.347+00:00 Regarding:
I have some concerns about this statement in the link that you posted:
(c) Subject Alternative Name with DNS attribute that matches the subject CN (e.g., DNS Name=******@stevenjordan.net)
I just noticed the link was referring to how to configure machine authentication with certificates, rather than user authentication with certificates (via EAP-TLS). The SAN, as described in the link is OK for machine certificates and the rest of the information in the link looks to be reliable too.
Gary
Sign in to comment -