Oh I see. OK, something is getting mixed up there - not sure what. As food for thought later on once you solve this ... I have got an RB3011 running L2TP/IPSEC for users and that authenticates the remote Windows/iPad/iPhone user using RADIUS on their old SBS2008 machine. That is working well for them and wasn't hard to set up. On Wed, 29 May 2019, at 14:46, Paul Julian wrote:
Hi Jason,
The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources. From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet.
Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client?
If the former are they using a masquerade NAT rule for that PPTP endpoint?
On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/>