Hi @Dmitry, I have done some more testing and also setup a freeradius server. With freeradius it works just the way it does with local users. No problems at all. With Microsoft Radius (NPS) it does not.
Looking in the logfiles there are two attributes missing from the response when using Microsoft NPS. Freeradius sends: <MS-MPPE-Encryption-Policy 1> <MS-MPPE-Encryption-Type 6>
I have tried to test every possible option for MPPE encrption on the settings page, but those attributes are not sent.
I have also tried to test different settings of mppe in the configuration file (deny/require/prefer) in both the l2tp and ppp section.
In the logfile I also get the message you noticed “mppe: 128-bit session keys not allowed, disabling mppe …”
Copy of relevant logfile lines below:
Freeradius
Jun 21 20:06:32 vyos accel-l2tp: :: send [RADIUS(1) Access-Request id=1 <User-Name “TestUser”> <NAS-Identifier “x.x…96.14”> <Calling-Station-Id “y.y.217.67”> <Called-Station-Id “x.x…96.14”> <MS-CHAP-Challenge 0xb805b06016ab8f9e383c1a458aa3a8bc> <MS-CHAP2-Response 0x010090178bf21dd89846a0268a1a3e53ed26000000000000000031fcba57f05f9360b91e757c2716cd93d2adfd703d18f31e>]
Jun 21 20:06:32 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <MS-CHAP2-Success 0x01533d43373031303337453937343932453130464631303944464142363243434238353037343137354431> <MS-MPPE-Recv-Key 0x83f042da7e66fd179fd7626c807390a84c5642a442b3be3c45eca13c78c59f99dcf7> <MS-MPPE-Send-Key 0x8e5c8183f6964cf4440a8c437533aa31cf348257df6a0e22746dbd43cfcdea41bf23> <MS-MPPE-Encryption-Policy 1> <MS-MPPE-Encryption-Type 6>]
Microsoft NPS
Jun 21 20:12:30 vyos accel-l2tp: :: send [RADIUS(1) Access-Request id=1 <User-Name “[email protected]”> <NAS-Identifier “x.x…96.14”> <Calling-Station-Id “y.y.217.67”> <Called-Station-Id “x.x…96.14”> <MS-CHAP-Challenge 0xeb0023b4376ce2b6a0bc7c84633cce6f> <MS-CHAP2-Response 0x0100359cca40fa0e5f3dae1d179264d98e9f0000000000000000f36e59d50f3394526ec684e6b7d29427a9a2ab0f0de01098>]
Jun 21 20:12:31 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <359cca40fae5f3dae1d179264d98e9f>, , F=0, name="[email protected]"]
Jun 21 20:12:33 vyos accel-l2tp: :: recv [MSCHAP-v2 Response id=1 <359cca40fae5f3dae1d179264d98e9f>, , F=0, name="[email protected]"]
Jun 21 20:12:34 vyos accel-l2tp: :: recv [RADIUS(1) Access-Accept id=1 <Class 0xac4809490000013700010200c10f603c000000007c3c5746a5a3743501d643b6ea8ef60e000000000000000f> <MS-MPPE-Recv-Key 0x8019834ac83b843fd7cebb6228b4272ebc8b0188ba07743b37d0c31b492b34167dad> <MS-MPPE-Send-Key 0x801aa2ca51b26162c18fe0c7f62948105dd8a4e9c36aac7083b88fd230170831fdb0> <MS-CHAP2-Success 0x01533d34454641373037413943353745434243364237454442353533364633384243373131313641333937> <MS-CHAP-Domain “#001DOMAIN”>]
Jun 21 20:12:34 vyos accel-l2tp: :: mppe: 128-bit session keys not allowed, disabling mppe …