Sophos XG Firewall: How to configure RADIUS authentication for PPTP and L2TP VPN

Overview

This article explains how to setup a RADIUS server with Windows Server for PPTP and L2TP VPN authentication.  The examples in this article use Windows Server 2012R2 as the RADIUS server.

The following sections are covered:

RADIUS server configuration

Configure the RADIUS server on the Active Directory Domain Controller (DC) on Windows Server 2012R2, In this example, we will be setting everything up with MS-CHAPv2.

Configure the Network Policy Server

    1. Open up the Network Policy Server and navigate down to RADIUS Clients.
    2. Fill out the information as shown below:
      • Friendly Name: Pick a friendly name for the XG Firewall.
      • Address: Input the IP address for the XG.

    1. Switch to the Advanced tab.
      • Vendor Name: RADIUS Standard

Connection Request Policy

    1. Create a new Connection Request Policy.
      • Type of network access server: Remote Access Server (VPN-Dial up)

    1. Switch over to the Conditions tab and add the following conditions:
      • NAS Identifier: Friendly name for the firewall
      • NAS IPv4 Address: IP of the firewall
      • Client Friendly Name: XGFirewall
      • NAS Port Type: Virtual (VPN)

    1. Switch to the Settings tab.

    1. Navigate down to Authentication and make sure Authenticate requests on this server is ticked.

Network Policies

    1. Create a new Network Policy and fill out the information as shown below:

    1. Switch to the Conditions tab and add the following conditions:
      • Windows Groups: User/Computer Group with VPN Access.
      • Client Vendor: RADIUS Standard

      Note:

      • The character “\” is not supported as part of the username, for example, DOMAIN\username. The authentication will succeed for DOMAIN\username against the RADIUS server, but the user cannot be created on the XG Firewall side because of the illegal character.
      • The XG Firewall supports authentication with the sAMAccountName username (i.e. usertest) or with the fully qualified username (i.e. usertest@domain.local), but not with the NETBIOS format which has a “\” character in the username, irrespective of the server.
      • A feature request was already submitted for this, see Allow authentication with windows credentials (domain\username) for l2tp. It is also included in the Known Issues List (KIL). This KB article will be updated once this feature is implemented.

    1. Switch to the Constraints tab and match the settings shown below:

    1. Switch to the Settings tab and make sure your settings match the image below:

    1. Navigate down to Vendor Specific and match the settings below:

    1. Navigate down to NAP Enforcement and make sure your settings match the image below:

    1. Navigate down to Extended State and make sure your settings match the image below:

    1. Navigate down to Multilink and Bandwidth Allocation Protocol (BAP) and make sure your settings match the image below:

    1. Navigate down to IP Filters and make sure your settings match the image below:

    1. Navigate down to Encryption and make sure your settings match the image below:


Note:

    1.  For the Sophos XG Firewall’s Test connection option to work in the RADIUS configuration, you will need to configure and allow PAP authentication. Otherwise, when testing your RADIUS connection, error bad username and password will show.

    2. Navigate down to IP Settings and make sure your settings match the image below:

Improved Logging

  1. Configure RADIUS server as accounting server for better remote connection logging:

Sophos XG Firewall configuration

PPTP XG configuration:

L2TP XG configuration:

PPTP configuration for Windows 10

  1. Go to VPN > PPTP (remote access) and enable PPTP.
  2. Configure the other options accordingly. Click Apply.

L2TP IPSec Policy for Windows 10

To connect with L2TP from Windows 10, a new policy must be made.

  1. Navigate to VPN > IPsec policies and then click Add.
  2. Fill out the policy as shown below. The DH groups for Phase 1 should be group 14 (DH2048) and 16 (DH4096).

  3. Create the L2TP connection by going to VPN > L2TP (remote access).
  4. Configure according to the following and use the IPsec policy that was created above.

  5. Enable the L2TP connection by click the red button under the Active column.

Properties of user on XG (L2TP)

  1. Navigate to Authentication > Users.
  2. Check that the L2TP option is checked for the correct users.

Properties of user on XG for PPTP

  1. Navigate to Authentication > Users.
  2. Check that the PPTP option is checked for the correct users.

RADIUS Server Configuration

  1. Navigate to Authentication > Servers and verify that the RADIUS server is created and the IP address and port number are correct.

Note: If you’re going to test the connection using the Test Connection button, it is required to enable the Unencrypted authentication (PAP, SPAP) option in the Network Policy of the RADIUS server because the XG Firewall uses PAP when testing the connection. After the testing, please disable the said option.

Authentication Services

  1. Navigate to Authentication > Services.
  2. Verify that the VPN (IPsec/L2TP/PPTP) Authentication Methods have the RADIUS server checked and on top of the list.

Create firewall rules

Do not forget to create firewall rules for your new PPTP/L2TP connection in order to gain access to the LAN.

Windows 10 configuration

Configuration options for PPTP and L2TP.

Windows 10 Client Configuration (L2TP)

    1. On Windows 10 go to Settings > Network & Internet > VPN.
    2. Click + Add a VPN connection.
    3. Create a basic Windows (Built-in) VPN with the Sophos XG Firewall’s connection information.
    4. VPN type should read L2TP/IPsec with pre-shared key.
    5. Save the connection.
    6. Now from the same window click on Change Adapter Options in the top right of the screen.
    7. Right click on the VPN that was created and select Properties.
    8. Select the Options tab and then click on PPP 
    9. Match the example below:

    1. Click on the Security tab and then check the button next to Allow these protocols and select Microsoft CHAP Version 2 (MS-CHAP v2).

    1. On this tab click Advanced Settings to add the preshared key.

Windows 10 Client Configuration (PPTP)

    1. On Windows 10 go to Settings > Network & Internet > VPN.
    2. Click + Add a VPN connection.
    3. Create a basic Windows (Built-in) VPN with the Sophos XG Firewall’s connection information.
    4. VPN type should read PPTP.
    5. Save the connection.
    6. Now from the same window click on Change Adapter Options in the top right of the screen.
    7. Right click on the VPN that was created and select Properties.
    8. Select the Options tab and then click on PPP.
    9. Match the example below:

    1. Click on the Security tab and then check the button next to Allow these protocols and select Microsoft CHAP Version 2 (MS-CHAP v2).

  1. Note: To Utilize CHAP authentication, the user account in AD has to have credentials stored in reversible encryption checkbox ticked. This is due to the way windows stores credentials. All other options rename the same except you use the CHAP protocol instead of MS-CHAPv2.

Additional tips

If you do not want your users browsing through the XG for their internet connectivity or for whatever reason the user doesn’t want to utilize the internet through the XG while connected to VPN, ensure to turn off Use default gateway on remote network on the advanced TCP/IP settings of the VPN connection properties: