Always On VPN Continue Connecting Prompt

Using the Extensible Authentication Protocol (EAP) with client certificates is the recommended best practice for authentication for Windows 10 Always On VPN deployments. EAP, and especially Protected EAP (PEAP), has a lot of settings to configure and it is not uncommon to encounter issues related to some parameters being defined incorrectly. This post covers one of the more common issues related to EAP/PEAP misconfiguration.

Action Needed?

When establishing an Always On VPN user tunnel connection, users may find the connection does not complete automatically, and they are informed that additional action is needed.

Clicking on the VPN connection and then clicking Connect prompts the user with the following message.

“Action needed. Continue connecting? We don’t have enough info to validate the server. You can still connect if you trust this server.”

Common Causes

This message can occur when (EAP) is used and is configured to perform server validation with a restricted set of NPS servers, as shown here.

NPS Server Certificate

The NPS server performing authentication for the connection request must have a certificate that includes a subject name that matches one of the names of the NPS servers defined in the EAP configuration. The certificate must be issued by the organizations private certification authority (CA).

EAP Configuration

Alternatively, the client-side EAP configuration may be incorrect. Although the NPS server may have the correct hostname configured on its certificate, it may not be entered correctly on the client. Ensure the hostname listed in the “Connect to these servers” field matches the subject name or SAN of the NPS server certificate defined in the network policy used for the Always On VPN user tunnel. Look carefully at the syntax when defining multiple NPS servers. Multiple servers are separated by a semi-colon and there are no additional spaces. Missing either one of these critical details will result in connection prompts. Also, ensure that all NPS servers used for authentication (those defined on the VPN server) are included in this list.

Note: Administrators must ensure that all VPN clients have updated their EAP configuration before adding additional NPS servers to the environment. Failure to do so will result in connection prompts.

Security Best Practice

To be clear, the behavior above is not ideal from a security perspective. Validating the NPS server before authenticating is crucial to ensuring the highest level of security and assurance, preventing credential theft from a man-in-the-middle attack. For this reason, it is recommended that users not be given the choice to authorize an NPS server. Authorized NPS servers should be defined by administrators exclusively. This is accomplished by selecting the option “Don’t ask user to authorize new servers or trusted CAs” in the Notifications before connecting drop-down list, and by selecting the option “Don’t prompt user to authorize new servers or trusted certification authorities“.

Additional Information

Always On VPN Network Policy Server (NPS) Load Balancing

Always On VPN and Windows Server 2019 NPS Bug

Leave a comment

5 Comments

  1. KpR

     /  April 5, 2021

    Hey Richard
    Based on my experience, the client doesn’t read SAN but only the subject name when you performed radius authentication.
    I don’t know if it was a bug or something else but I had to change my radius certs

    Reply
    • That’s not been my experience. It’s been a while since I tested though, so it could have changed since then. I’ll do some testing soon and see what I can find.

      Reply
    • You are correct. The client only matches against the subject name field, not the subject alternative name field. I’ve updated the post to reflect that information. Thanks for bringing that to my attention!

      Reply
  2. Some Guy

     /  April 6, 2021

    Careful! The screenshots show that that EAP dialog box is expecting regular expressions for the certificate name. In regular expressions, the “dot” character is a wildcard meaning “any character”. Since you didn’t escape your literal dots, an attacker could go out and register lab4richardhicks.net and make a legit VPN server with a legit certificate that your client will happily accept.

    Reply
    • Good observation! I think using FQDNs here is sufficient for most deployments, to be honest. However, for those with the highest security requirements, it might require some additional configuration here. I’ll investigate for sure!

      Reply

Leave a Reply to Richard M. Hicks Cancel reply

%d bloggers like this: