Mikrotik VPN and MS Windows authentication issues
Hi All, We have a customer who is running a Windows server environment with Active Directory, they also use a Mikrotik and run PPTP VPN to connect into their office. They are having issues with authentication on the Windows PC's when accessing the shares on the server and wondering if anybody has any suggestions on how to make this work. I recall some time ago that there were issues if the cached credentials on the PC's weren't updated regularly, and I have also wondered if using Windows IAS for the VPN Authentication may help but the customer is looking to us for help and I haven't really done this sort of thing for a while and was hoping that somebody could point me in the right direction for a solution which would work for them and not cause them to have to re-auth when accessing those resources on the server. Thanks Paul
Is their computer on the PPTP VPN already joined to the domain? Or is it a Home edition where they need to keep plugging in their credentials to access resources? You can always go to the credential manager on their PC and delete the existing cached credentials and they can type them in fresh (maybe after a reboot). On Tue, 28 May 2019, at 10:11, Paul Julian wrote:
Hi All,
We have a customer who is running a Windows server environment with Active Directory, they also use a Mikrotik and run PPTP VPN to connect into their office. They are having issues with authentication on the Windows PC's when accessing the shares on the server and wondering if anybody has any suggestions on how to make this work.
I recall some time ago that there were issues if the cached credentials on the PC's weren't updated regularly, and I have also wondered if using Windows IAS for the VPN Authentication may help but the customer is looking to us for help and I haven't really done this sort of thing for a while and was hoping that somebody could point me in the right direction for a solution which would work for them and not cause them to have to re-auth when accessing those resources on the server.
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/>
Hi Jason, I believe that all of the machines connecting in via VPN as part of the domain and are regularly plugged into the network at the office. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Tuesday, 28 May 2019 10:15 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Is their computer on the PPTP VPN already joined to the domain? Or is it a Home edition where they need to keep plugging in their credentials to access resources? You can always go to the credential manager on their PC and delete the existing cached credentials and they can type them in fresh (maybe after a reboot). On Tue, 28 May 2019, at 10:11, Paul Julian wrote:
Hi All,
We have a customer who is running a Windows server environment with Active Directory, they also use a Mikrotik and run PPTP VPN to connect into their office. They are having issues with authentication on the Windows PC's when accessing the shares on the server and wondering if anybody has any suggestions on how to make this work.
I recall some time ago that there were issues if the cached credentials on the PC's weren't updated regularly, and I have also wondered if using Windows IAS for the VPN Authentication may help but the customer is looking to us for help and I haven't really done this sort of thing for a while and was hoping that somebody could point me in the right direction for a solution which would work for them and not cause them to have to re-auth when accessing those resources on the server.
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Paul, This could be DNS related to the Kerberos token. I would check that you're giving out a domain controller for the DNS server in your PPP profile and if not then you're relaying via something else (like the router) which also provides the suffix resolution. Using a DC would be the way to go though. Cheers, RJ -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 8:19 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Hi Jason, I believe that all of the machines connecting in via VPN as part of the domain and are regularly plugged into the network at the office. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Tuesday, 28 May 2019 10:15 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Is their computer on the PPTP VPN already joined to the domain? Or is it a Home edition where they need to keep plugging in their credentials to access resources? You can always go to the credential manager on their PC and delete the existing cached credentials and they can type them in fresh (maybe after a reboot). On Tue, 28 May 2019, at 10:11, Paul Julian wrote:
Hi All,
We have a customer who is running a Windows server environment with Active Directory, they also use a Mikrotik and run PPTP VPN to connect into their office. They are having issues with authentication on the Windows PC's when accessing the shares on the server and wondering if anybody has any suggestions on how to make this work.
I recall some time ago that there were issues if the cached credentials on the PC's weren't updated regularly, and I have also wondered if using Windows IAS for the VPN Authentication may help but the customer is looking to us for help and I haven't really done this sort of thing for a while and was hoping that somebody could point me in the right direction for a solution which would work for them and not cause them to have to re-auth when accessing those resources on the server.
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 10:10 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi All,
We have a customer who is running a Windows server environment with Active Directory, they also use a Mikrotik and run PPTP VPN to connect into their office. They are having issues with authentication on the Windows PC's when accessing the shares on the server and wondering if anybody has any suggestions on how to make this work.
I recall some time ago that there were issues if the cached credentials on
Do remote clients get an address that is on the LAN, or are they routed through? If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router. Cheers! the
PC's weren't updated regularly, and I have also wondered if using Windows IAS for the VPN Authentication may help but the customer is looking to us for help and I haven't really done this sort of thing for a while and was hoping that somebody could point me in the right direction for a solution which would work for them and not cause them to have to re-auth when accessing those resources on the server.
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
HI Mike, Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Do remote clients get an address that is on the LAN, or are they routed through? If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router. Cheers!
Hi Paul, Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue. Could your issue be related to that? Regards, Philip Loenneker | Network Engineer | TasmaNet -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues HI Mike, Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Do remote clients get an address that is on the LAN, or are they routed through? If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router. Cheers! _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Philip, Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case. I will see how that goes before making any more changes, but your suggestion is great, thanks Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Hi Paul, Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue. Could your issue be related to that? Regards, Philip Loenneker | Network Engineer | TasmaNet -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues HI Mike, Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Do remote clients get an address that is on the LAN, or are they routed through? If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router. Cheers! _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet. Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client? If the former are they using a masquerade NAT rule for that PPTP endpoint? On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/>
Hi Jason, The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources.
From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet. Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client? If the former are they using a masquerade NAT rule for that PPTP endpoint? On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi, Well.... if the VPN is working and you have IP Connectivity through to the server, then it is not really a mikrotik issue. Andrew -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Wednesday, 29 May 2019 12:45 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Hi Jason, The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources.
From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet. Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client? If the former are they using a masquerade NAT rule for that PPTP endpoint? On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Oh I see. OK, something is getting mixed up there - not sure what. As food for thought later on once you solve this ... I have got an RB3011 running L2TP/IPSEC for users and that authenticates the remote Windows/iPad/iPhone user using RADIUS on their old SBS2008 machine. That is working well for them and wasn't hard to set up. On Wed, 29 May 2019, at 14:46, Paul Julian wrote:
Hi Jason,
The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources. From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet.
Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client?
If the former are they using a masquerade NAT rule for that PPTP endpoint?
On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/>
Yes I have been thinking of perhaps moving them to that model, it would be a good option with the old style of PPTP now too. Regards Paul -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 3:01 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues Oh I see. OK, something is getting mixed up there - not sure what. As food for thought later on once you solve this ... I have got an RB3011 running L2TP/IPSEC for users and that authenticates the remote Windows/iPad/iPhone user using RADIUS on their old SBS2008 machine. That is working well for them and wasn't hard to set up. On Wed, 29 May 2019, at 14:46, Paul Julian wrote:
Hi Jason,
The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources. From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet.
Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client?
If the former are they using a masquerade NAT rule for that PPTP endpoint?
On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
The company I am now working for has just implemented L2TP/IPSEC because PPTP was breaking over anyone using 4G with CGNAT in the mix. The protocol 47 traffic was just not working. This is MS Client to MS Server, however; but food for thought on the PPTP side. On Wednesday, 29 May 2019 3:36:42 PM AEST Paul Julian wrote:
Yes I have been thinking of perhaps moving them to that model, it would be a good option with the old style of PPTP now too.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 3:01 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Oh I see. OK, something is getting mixed up there - not sure what.
As food for thought later on once you solve this ... I have got an RB3011 running L2TP/IPSEC for users and that authenticates the remote Windows/iPad/iPhone user using RADIUS on their old SBS2008 machine. That is working well for them and wasn't hard to set up.
On Wed, 29 May 2019, at 14:46, Paul Julian wrote:
Hi Jason,
The customer is using Microsoft PPTP Client to a Mikrotik router running PPTP Server, Windows server isn't playing a part at this stage except for allowing access to resources. From what I understand the users login to their PC with their username and password, that same username and password is defined in the domain but they still having issues authenticating to the server resources, sometimes it works, sometimes it doesn't.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Jason Hecker Sent: Wednesday, 29 May 2019 1:43 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
My experience in the past with Windows SBS machines is that yes, if you used Server's PPTP VPN your IP will get added into a bridge of sorts on the server itself which is part of the LAN subnet.
Is the client connecting with the Mikrotik's PPTP client or are they connecting their PC directly using Window's PPTP client?
If the former are they using a masquerade NAT rule for that PPTP endpoint?
On Wed, 29 May 2019, at 13:35, Paul Julian wrote:
Hi Philip,
Thanks for the reply, that's something to look into, and I was thinking maybe something like that was happening. I have since found out a little more about the situation from the client, the VPN interfaces are being added to a LAN bridge which the local users also come in through, the IP's for VPN users are also on the same subnet as local users. After Mike's proxy-arp suggestion I confirmed that proxy-arp was active on the bridge but not on the LAN interface that was in the bridge, I enabled it there as well just in case.
I will see how that goes before making any more changes, but your suggestion is great, thanks
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Philip Loenneker Sent: Wednesday, 29 May 2019 1:28 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Hi Paul,
Windows has a "feature" where it will use your VPN credentials to access resources such as network shares over the VPN. We experienced that issue, where the VPN account was the same as the users AD username but did not have the same password, and it caused the account to get locked out very soon after the VPN established. We simply made sure that any usernames did NOT exactly match the AD username (eg vpn.username) and that made things more reliable. Of course, if you use RADIUS authentication against your AD, then the feature actually helps you rather than causing an issue.
Could your issue be related to that?
Regards, Philip Loenneker | Network Engineer | TasmaNet
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Paul Julian Sent: Tuesday, 28 May 2019 11:02 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
HI Mike,
Yes they are on the same subnet, proxy-arp isn't enabled so maybe that is the issue. The strange thing is that some people work and some people don't, so maybe it is proxy-arp.
Regards Paul
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Tuesday, 28 May 2019 10:28 AM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik VPN and MS Windows authentication issues
Do remote clients get an address that is on the LAN, or are they routed through?
If the address is on the LAN, then you probably need to enable proxy-arp on the lan interface of the pptp server router.
Cheers!
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (7)
-
Andrew Oakeley
-
Jason Hecker
-
Michael Junek
-
Mike Everest
-
Paul Julian
-
Philip Loenneker
-
RJ Plummer