IPSEC/IKEv2 VPN auth mschap fail

another_user
another_user Posts: 16  Freshman Member
First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security
Hi Guys


i've noticed a minor bug on USG1100  firmware V4.39(AAPK.0)  about IKEv2 VPN with mschap  authentication.
This little bug wasn't present on 4.31 firmware.


Ad server is a 2012 R2 64,  query works without problems. This issue is very strange,  give an auth fail approximately  every 7-10 days and only for 20-30 minutes.

In this range anyone cannot authenticate,  the users already connected remain connected. On logs report IKE  auth fail

After this little period VPN auth works again. If i change and undo option on VPN gateway extended authentication protocol before 20 minutes, works again.

Users VPN mschap test working in that range time, AAA server same.


I tried to change some minor option withous success.

This appears like a little bug about phase 1 authentication on IPSEC.

Someone noticed similar problems?



many thanks

Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited December 2020

    Hi @another_user

    You can try to enter this debug command during issue happening:

    Router# _debug domain-auth test profile-name ad username administrator password XXXXXXXX
          --ad is meaning default AAA profile name.
          --administrator is AD default username, and enter correct password.

    Of cause you can test the username which you like to tested.

    It can check if USG is able connect with AD server by SMB during issue happening.

  • another_user
    another_user Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    Hello Mr Stanley

    the issues occurred about 30 minutes ago, VPN error 691(incorrect username and password)

    executed command, with this result:

    Router> _debug domain-auth test profile-name ad_mschap username correctUser password XXXXXXXXXXX
    Failed to join domain: failed to connect to AD: Invalid credentials
    /usr/sbin/winbindd -s /var/zyxel//ZyXELad_mschap.conf
    ntlm_auth --username=correctUser --password=XXXXXXXXXXX
    NT_STATUS_OK: Success (0x0)
    /usr/bin/killwinbind ZyXELad_mschap



    after 10-15 minutes, same command:

    Router> _debug domain-auth test profile-name ad_mschap username correctUser password XXXXXXXXXXX
    Using short domain name -- DOMAINNAME
    Joined 'USG1100' to dns domain 'DOMAINNAME.local'
    /usr/sbin/winbindd -s /var/zyxel//ZyXELad_mschap.conf
    ntlm_auth --username=correctUser --password=XXXXXXXXXXX
    NT_STATUS_OK: Success (0x0)
    /usr/bin/killwinbind ZyXELad_mschap


    And VPN works again, this happening some from 10:10  to 10:35 (am) 

    The command, at first, reported invalid credential, but are the same (checked anc corrected)

    The user in mschap config is a domain admin member, other Ad  service (exchange login, user Ad pc access)  worked.

    The only thing different is that yesterday  i have rebooted after windows update (20 hours before) update+ reboot 5 minutes of down, but configuration point two AD servers.







  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @another_user

    This symptom has fixed in 4.60P1 firmware.

    You may upgrade to latest firmware and monitor it for few days again.

  • another_user
    another_user Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    Hi Stanley, i have upgraded 13 days ago to the latest firmware 4.65(AAPK.1), for all these days VPN ike works fine,  but today the little bug  was repurposed for the usual 30-40 minutes, then dissappears.

    The active directory test, in the same time of VPN error, reports status ok, like in the past.

    I think that the problem concerns the module "Extended Authentication Protocol" in the menu of "server mode" -->  "AAA method" and "allowed user" located on VPN gateway. mschap is active.


    any other ideas?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Does all of IKEv2 clients are unable to build VPN tunnel anymore?
    Can you post VPN tunnel log entries those build tunnel in fail?

    If debug command replied in success, then should no problem to auth by MSCHAPv2....It means the issue may come from other reason.
    You can paste response message after entering debug command for verify again. 
  • another_user
    another_user Posts: 16  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    When the problem occours ALL IKE VPN's didn't connect with the same error : username and password not correct

    At this moment i'm writing, the VPN works, but _debug command report error:Join domain:

    Router> _debug domain-auth test profile-name ad_mschap username &USERNAME  password &PASSWORD
    Failed to join domain: failed to connect to AD: Invalid credentials
    /usr/sbin/winbindd -s /var/zyxel//ZyXELad_mschap.conf
    ntlm_auth --username=&USERNAME --password=&PASSWORD
    NT_STATUS_OK: Success (0x0)
    /usr/bin/killwinbind ZyXELad_mschap

    It's a crazy situation


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @another_user
    I will send you private message for further check this issue. :)

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)