help needed with EAP
Rian
I have this testconfiguration:
Win2000 / RRAS server, configured for VPN access with PPTP, authentication
both MS-CHAPv2 and EAP, also Certificate server and Active Directory.
Remote PC with User certificate.
From a remote PC I can access the server with MS-CHAPv2.
I requested with this connection a CA and a User certificate.
Now I changed authentication on the remote PC to EAP. But when trying to
connect I get this:
Verifying username and password...
...
Error 619: A connection to the remote computer could not be established.
Hopefully someone can help me.
However with
Rian
connection.
First I tried to connect using a ADSL connection, via a router (Vigor 2200E)
which does NAT.
Can someone confirm NAT is the problem? There is no firewall in place. Are
there other factors to count for?
![Thomas W Shinder [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXFlJYFHsziSpkcGUAz3U6f0So85xlEVAB9EuDQDkaMC2pJn1A=s40-c)
Thomas W Shinder [MVP]
HTH,
--
Tom
www.isaserver.org/shinder
Get the book!
<Rian> wrote in message news:uTsDLnhmBHA.1864@tkmsftngp04...
Rian
Thought PPTP + EAP was NAT-trouble-free.
"Thomas W Shinder [MVP]" <tshi...@hotmail.com> wrote in message
news:ehNZXAjmBHA.2156@tkmsftngp07...
Stefaan Pouseele
PPTP + EAP should work through NAT. Because PPTP works with MS-CHAPV2, we
can assume that all the necessary ports are open (tcp port 1723 and IP
protocol 47/GRE). However there is one very important issue: when using
EAP-TLS (certificates) there will be ip-fragments during the negotiation
process (certificate chains exchange). So, check that all devices in the
path allow ip-fragments through.
PS: don't forget to disable ip fragment filtering on ISA!
Hope this helps,
Stefaan
<Rian> wrote in message news:eVNQkmnmBHA.2444@tkmsftngp03...
Rian
Thanks very much for your reply. I think I have to do some study, but now I
know where to look for.
Do you know some documentation about this available on the web?
Stefaan Pouseele
the best documentation I could fine (except of course www.isaserver.org) is:
- http://www.microsoft.com/vpn
- Thaddeus Fortenberry's book about W2K virtual private networking
(http://www.amazon.com/exec/obidos/ASIN/1578702461/qid=1005941322/sr=2-2/ref
=sr_2_11_2/103-5360793-3596659 highly recommended
- try it out and have a good monitor/sniffer at your disposal ;-)
Hope this helps,
Stefaan
<Rian> wrote in message news:uaZYuYomBHA.2084@tkmsftngp04...
Rian
Thomas W Shinder [MVP]
You are correct! Actually, I recall that you did some excellent research on
the certificate fragmentation isssue several months ago, with MS telling you
that packets involved with certificate exchanges get fragmented.
Thanks!
--
Tom
www.isaserver.org/shinder
Get the book!
"Stefaan Pouseele" <stefaan....@cevi.be> wrote in message
news:O1RYu0omBHA.2520@tkmsftngp05...
Stefaan Pouseele
that's right ;-)
However, I have always troubles to find back what I posted in the discussion
board. The search engine seems not to like a search on the basis of the
username of a post. Will that be fixed?
Greetings,
Stefaan
"Thomas W Shinder [MVP]" <tshi...@hotmail.com> wrote in message
news:eLiHOVsmBHA.1876@tkmsftngp03...
Thomas W Shinder [MVP]
Not sure how I found the post. Oh yeah, I saved it! :-) Its was so good I
couldn't trust it to the Search engine :-)
Thanks!
--
Tom
www.isaserver.org/shinder
Get the book!
"Stefaan Pouseele" <stefaan....@cevi.be> wrote in message
news:OFK1$IvmBHA.2168@tkmsftngp05...