Re: 3005 setup for pptp to NT Domain authentication

gordons · ‎03-02-2004

I have the 3005 configured to allow ipsec, and have tested it.

However, I cannot seem to get the pptp (windows client) to connect.

I have gone through all the documentation (and this forum) but have not seen anything beyond basic pptp configuration which I have already done.

Any thoughts?

gfullage · ‎03-02-2004

The usual problem with this is your authentication. What error are you getting on the client, is it a username/password error or something else?

If it's a user authentication issue, make sure your NT Domain server added under Config - System - Servers - Authentication is at the very top of the list, especially above the Internal server.

Because PPTP has no concept of a VPN3000-based group, PPTP connections always just use whatever authentication server is listed first under the server screen, so if the Internal server is first then it will be trying to authenticate the user to the VPN3000 internal database, NOT the NT Domain server.

gordons · ‎03-02-2004

I've got the NT domain server first in the list; the fact that they can be moved around at all clued me in to the fact that they are checked in sequence.

I've narrowed the problem down to this:

Authentication test of the server itself from the 3005 admint test tool shows to be successful. However, as soon as I turn on any encryption (anything beyond CHAP), such as MSCHAPv1 or v2, I get an error that says my login name or password is not correct for the domain.

When I turn encryption off, the connection goes right on through, with no error.

Obviously I NEED encryption for these login names and passwords, and I suspect some changes may have to occur on our Win2k Domain controller (the NT authentication server) to do it.

Ironically, the IPSEC setup, which I expected to be the more difficult of the two, was surprisingly easy.