Hello,
I'm trying to set up Always-On VPN and I ran into an authentication error when the option to "Verify the server identity" is selected.
If I de-select it, I can connect without any problems.
If I do select it and input my RADIUS servers in there, I get error 16:
Reason Code:16
Reason:Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Here's a snippet of the official MS guide for setting up AO VPN:
a. In the Connect to these servers box, type the name of the NPS server that you retrieved from the NPS server authentication settings earlier in this section (for example, NPS01).
Note
The server name you type must match the name in the certificate. You recovered this name earlier in this section. If the name does not match, the connection will fail, stating that “The connection was prevented because of a policy configured on your RAS/VPN server.”
b. Under Trusted Root Certification Authorities, select the root CA that issued the NPS server's certificate (for example, contoso-CA).
And I do believe this is where my problem is, but I am not 100% sure. The NPS server's certificate was NOT issued by a Trusted Root CA, but rather by an Intermediate CA since we're using a two-tier PKI infrastructure.
I tried tricking the OS by adding the Intermediate CA Certificate to the Trusted Root CAs Store, which in turn did allow me to select it in the network adapter properties for the VPN, but in the end it did not make a difference and I was still getting authentication errors.
Is it possible that due to the fact that the Issuer is the Intermediate CA I will not have the possibility to use the server validation option?
Kind regards,
Wojciech