Hello!
Please let me clarify a couple of questions regarding EAP and IKEv2 VPN.
The theory:
https://technet.microsoft.com/en-us/library/cc754179%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
"The NPS server authenticates the user and client computer with the authentication type that is selected for use with PEAP. The
authentication type can be either EAP-TLS (smart card or other certificate) or EAP-MS-CHAP v2 (secure password)."
From this I conclude that if I want to useEAP-TLS my clients will authenticate using ONLY their user certificates.
The practice:
This guide suggests to create the network policy that checks the security group membership:
When I'm trying to connect to the VPN server I see that user name and domain information really gets logged on my NPS server :
...so
Q1: If EAP-TLS does NOT use user name/password checking how this information (domain/username) can reach NPS server?
Q2: When I connect to VPN using IKEv2 protocol I see in the accounting log on NPS server that the connection attempt was successfull (and there are no errors on VPN or NPS server in the logs) but on the client I get this:
The error in the client's application log:
"The user Test\user1 dialed a connection named Test-VPN which has failed.The error code returned on failure is 902."
The error in the vpn server's log:
"[4544] 12-11 12:15:05:411: DeviceListenRequest: Clearing Autoclose flag on port VPN2-3
[4544] 12-11 12:15:05:411: onecoreuap\net\rras\ras\rasman\rasman\util.c: 2789: port 509 state chg: prev=4, new=1
[4544] 12-11 12:15:05:411: onecoreuap\net\rras\ras\rasman\rasman\util.c: 2820: port 509 async reqtype chg: prev=0, new=27
[4544] 12-11 12:15:05:411: Listen posted on port: VPN2-3, error code 600"
I failed to find any explanation to this issue ...
This error is being discussed here but there also seems to be no solution.
Thank you in advance,
Michael