All posts tagged NPS

Always On VPN Error 13868

Troubleshooting Always On VPN Error 691 and 812 – Part 2

The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice for Microsoft Always On VPN deployments where the highest levels of security and assurance are required. However, as I’ve written about in the past, often the default IKEv2 security settings are less than desirable. Before using IKEv2 VPN in a production environment the administrator will need to update these security settings accordingly.

Connection Failure

When configuring Windows Server Routing and Remote Access Service (RRAS) or a third-party VPN appliance to support IKEv2 using custom security policies, the administrator may encounter a scenario in which a connection cannot be established due to a policy mismatch error. When the connection attempt fails, an error will be recorded in the Windows Application event log from the RasClient source with Event ID 20227. The error message states the following:

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.”

Always On VPN IKEv2 Policy Mismatch Error

Error Code 13868

Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.

Server Configuration

To view the current IKEv2 IPsec policy configuration, open an elevated PowerShell command window and run the following command.

Get-VpnServerIPsecConfiguration

Always On VPN IKEv2 Policy Mismatch Error

Client Configuration

To ensure interoperability, the VPN client must be configured to use the same IKEv2 security policy as defined on the sever. To view a VPN client’s currently configured IKEv2 security policy, open an elevated PowerShell command window and run the following command.

Get-VpnConnection -Name [connection name] | Select-Object -ExpandProperty IPsecCustomPolicy

Always On VPN IKEv2 Policy Mismatch Error

Note: If this PowerShell command returns no output, the VPN connection is not using a custom IKEv2 IPsec security policy.

Updating Settings

Guidance for configuring IKEv2 security policies on Windows Server RRAS and Windows 10 can be found here.

NPS Policy

Another common cause of IKEv2 policy mismatch errors is a misconfigured Network Policy Server (NPS) network policy. Specifically, administrators may disable Basic and Strong encryption for MPPE in an attempt to improve security.

Always On VPN IKEv2 Policy Mismatch Error

The NPS policy for Always On VPN must include Strong encryption at a minimum. Basic and No encryption can be safely disabled.

Always On VPN IKEv2 Policy Mismatch Error

Summary

IKEv2 policy mismatch errors can be resolved easily by ensuring both the VPN server and client are configured to use the same IPsec security policies. Use the PowerShell commands in the above referenced above to validate settings and make changes when necessary.

Additional Information

Microsoft Always On VPN Error 13801

Microsoft Windows Always On VPN Error 13806

Microsoft Windows Always On VPN Certificate Requirements for IKEv2

Microsoft Windows Always On VPN IPsec Root Certificate Configuration Issue

Microsoft Windows Always On VPN IKEv2 Policy Mismatch Error

Microsoft Windows Always On VPN IKEv2 Security Configuration

Microsoft Windows Always On VPN IKEv2 Fragmentation

Microsoft Windows Always On VPN IKEv2 Load Balancing and NAT

Microsoft Windows Always On VPN IKEv2 Features and Limitations

1 Comment
by Richard M. Hicks on February 12, 2023  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure VPN, Azure VPN Gateway, certificates, Cryptography, device tunnel, Encryption, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PKI, PowerShell, Remote Access, routing and remote access service, Security, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 12, 2023

https://directaccess.richardhicks.com/2023/02/12/always-on-vpn-error-13868/

Always On VPN RADIUS Configuration Missing

Windows Server Routing and Remote Access Service (RRAS) is a popular choice for administrators deploying Always On VPN. It is easy to configure and scales out easily. Most commonly, RRAS servers are configured to use RADIUS authentication to provide user authentication for Always On VPN client connections. The RADIUS server can be Microsoft Network Policy and Access Server (NPAS, or simply NPS) or a third-party RADIUS solution. It is best to have the RADIUS service running on a server separate from the RRAS server.

RADIUS Authentication

Administrators can configure RADIUS authentication by opening the Routing and Remote Access management console (rrasmgmt.msc), right-clicking the VPN server, then choosing Properties > Security. Click the Configure button to configure authentication and accounting providers accordingly.

RADIUS Options Missing

In some cases, the administrator will notice that the option to configure RADIUS authentication and accounting servers is missing. In its place is the following error message.

“Because Network Policy Server (NPS) is installed, you must use it to configure authentication and accounting providers. To configure authentication and accounting providers, create or modify connection request policies.”

Configuration Options

It might be tempting for administrators to follow this guidance when presented with this message by opening the Network Policy management console (nps.msc) to configure it. However, that is not recommended or necessary. This message results from a common configuration error that should be corrected.

NPS Role Installed

The error message above occurs when an administrator mistakenly installs the NPAS role on the RRAS server itself. Again, this is not recommended or required. To resolve this issue, uninstall the NPS role by opening an elevated PowerShell command window and running the following command.

Uninstall-WindowsFeature NPAS

Configuration Corrupted

After removing the NPAS role from the RRAS server, administrators may encounter the following error message when configuring RADIUS authentication and accounting servers in RRAS.

“The connection request policy used for authentication and accounting configuration is corrupted. Either install Network Policy Server (NPS) and restore the connection request policy manually, or click Repair Settings to restore the connection request policy by using Windows Accounting and Windows Authentication.”

Repair Settings

To resolve this issue, click the Repair Settings button. Once complete, RADIUS authentication and accounting configuration should work as expected.

Additional Information

Always On VPN Network Policy Server (NPS) Auditing and Logging

Always On VPN Network Policy Server (NPS) Load Balancing

Always On VPN and Windows Server 2019 Network Policy Server (NPS) Bug

1 Comment
by Richard M. Hicks on October 13, 2022  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Enterprise, enterprise mobility, Mobility, network policy server, NPS, Operational Support, Remote Access, routing and remote access service, RRAS, Security, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 13, 2022

https://directaccess.richardhicks.com/2022/10/13/always-on-vpn-radius-configuration-missing/

Always On VPN NPS Auditing and Logging

The Network Policy Server (NPS) event log is incredibly valuable for administrators when troubleshooting Always On VPN user tunnel connectivity issues. Administrators can find these pertinent events by opening the Event Viewer on the NPS server (eventvwr.msc) and navigating to Custom Views > Server Roles > Network Policy and Access Services.

Event Logs

When configured correctly, event logs will record the disposition of all authentication requests, allowed or denied. The two most common recorded events are event IDs 6272 (access granted) and 6273 (access denied).

NPS Event ID 6272 – Access granted.

NPS Event ID 6273 – Access denied.

Auditing

In some cases, administrators may find none of these events recorded even though user authentication is working correctly. Here, the only events recorded are NPS informational events indicating which domain controller the NPS server is using to perform authentication.

The lack of 6272 and 6273 events in the event log indicates that auditing for NPS events is not enabled. Open an elevated PowerShell window and run the following command to view the current auditing setting for NPS events.

auditpol.exe /get /subcategory:”Network Policy Server”

Open an elevated PowerShell window and run the following command to enable auditing for NPS events.

auditpol.exe /set /subcategory:”Network Policy Server” /success:enable /failure:enable

Group Policy

Alternatively, consider using Active Directory group policy to enforce the NPS server auditing settings. Open the Group Policy Management Console (GPMC) and create a new GPO. Next, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff > Audit Network Policy Server and select the option to audit both success and failure attempts.

Once complete, link this GPO to the OU where the NPS servers reside.

Missing Events

If auditing is enabled and there are no recorded 6272 or 6273 events, the NPS server did not receive any authentication requests from the VPN server. Review the event logs on any other NPS servers if there is more than one configured. In addition, this may indicate that network communication between the VPN and NPS server is blocked. Ensure network connectivity and name resolution are working as expected.

Troubleshooting Guides

Are you interested in learning more about Always On VPN troubleshooting? My Always On VPN book contains an entire chapter dedicated to troubleshooting. Also, my Always On VPN video training course on Pluralsight includes a module on troubleshooting. The video training course is available to Pluralsight subscribers only. If you don’t have a Pluralsight subscription, you can sign up for a free trial here.

Additional Information

Troubleshooting Always On VPN Errors 691 and 812

Troubleshooting Always On VPN Errors 691 and 812 – Part 2

Troubleshooting Always On VPN Errors 691 and 812 – Part 3

Always On VPN NPS Load Balancing

2 Comments
by Richard M. Hicks on August 8, 2022  •  Permalink
Posted in administration, Always On VPN, AOVPN, Enterprise, enterprise mobility, Group Policy, Mobility, network policy server, NPS, Operational Support, PowerShell, Remote Access, reporting, Security, troubleshooting, user tunnel, VPN, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 8, 2022

https://directaccess.richardhicks.com/2022/08/08/always-on-vpn-nps-auditing-and-logging/

« Older Posts
Newer Posts »