Does anyone have any experience with Microsoft always on vpn? I’m trying to spin up infrastructure as a test.
Currently I have a RAS server setup and a separate server with NPS set up for authentication. I’m at the point where I need to verify if the client can connect successfully and access the network before moving on to connection profiles to deploy.
On the client side the client has a proper certificate and is set to use EAP to authenticate. On the RAS side RADIUS is set to send to the NPS server where a network policy is set up for EAP. I am able to get the client to connect to the RAS server, but the client workstation has no internet access and cannot access or ping an internal resource when connected. On the RAS server I receive the following warning:
Event ID 20271
The user [username] connected from [ip address] but failed an authentication attempt due to the following reason: the connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication mentod used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the admin off the RAS server and notify them of this error.
Looking in the NPS logs on the RADIUS server I see that I’m getting NPS event 14 “A RADIUS message was received from RADIUS client [ip address] with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.”. I verified the shared secret matches but still receive the error. I did a fair bit of googling and but did not see any relevant suggestions regarding this error. I have checked the NPS settings to make sure the correct form of auth matches the client side a number of times so at this point I’m banging my head against the wall. Any ideas?
This is just yet another one of those legacy technologies that Microsoft has patched and botched over the years. Except this time they relaunched it and gave it a fancy name.
The biggest issue I’ve seen is it relies on Windows NLA to detect whether it should not shouldn’t connect and this often doesn’t work properly and ends up connecting users to the VPN whilst inside the network. But there are likely many others.
My advice would be to move to something like Palo Alto GlobalProtect or FortiClient. You won’t regret it.
We moved to Device Tunnel from Direct Access. Supports a large off site workforce, a few thousand clients connected daily.
If it didn’t work, I’d have to go into the office.
We use zscaler zpa. Just works.
We tried it in 2020 and gave up on it. Far too unstable was our experience as well.
2k users, around up to 1k concurrent connections, 5 different geographical distributed AOVPN Clusters (via GeoDNS), no issues at all.
I remember we had one issue with NRPT, but that was back in Windows 10 1809 times.
Currently using forticlient and managing it via the fortinet ems tool is super buggy. Patching it is awful too.
Had AlwaysOn VPN running for 3 years now, 300 users now 500 and have had zero outages, downtime, crashes etc. Its never had any issues and works perfectly
I have good and bad experiences with AOVPN and in my experience it works good when you use SSTP instead of IKEv2.
Also the internet connection to the RRAS server can cause issues.
I remember i moved a customer from OVPN to a Always On OpenVPN in the past the always on option is not out of the box and you need to do some scripting yourself but it worked 10 times more stable.
Yes, all of und them. Which exact issues do you have?
We’re hosting them on Server 2016-2022 and all are good. I’m just basic configuring them, then import our NPS configs (hosting it on them make less dependencies) and then use Richard hicks scripts for cipher tuning for both IKEv2 and SSTP.
If you really can’t figure it out, I’d probably buy consulting hours from Richard, he probably knows the RAS Services as good as the product group.
Same on the firewall side. They’re nice. We have a smaller user footprint so it does fine for what we need on the vpn side. Just hate the clients. I may look into using a different client with the fortigates but I have heard that can be painful.