Windows Integrated VPN (L2TP with Radius and PEAP) | is it even possible?

thetschulian · March 6, 2025, 10:27am

Hey there,
since Ivanti Secure Access still has not patched the current Security issues I was planning to test a new VPN solution.
Since I saw my chance to get rid of the current VPN Agent I tried to play around with the Windows integrated VPN. So I set myself a requirement NOT to use any vpn client in that case …
I setup a sophos with a 30 day eval licence and got it working with MSchapv2 over a Windows Server 2016 NPS in a short time. It works smooth and I get around 60Mbit Download / Upload.
Since mschapv2 is pretty unsecure, i wanted to change the auth method to peap.

For now, I found alot posts in the internet which says it is not supported by sophos.
OK - so I started searching for a solution with another vendor like palo alto which seems to end in the same fight …

Does any1 figured out a solution for sophos or even palo alto?
Or is my requirement NOT to use any vpn client not really a good one?

Thanks in advance

sarosan · March 6, 2025, 10:27am

Check out Always On VPN if you want to use the native Windows VPN client.

zeliboba55 · March 6, 2025, 10:27am

Look into Cloudflare ZeroTrust when you get tired of what you described.

datec · March 6, 2025, 10:27am

SSTP is Microsoft’s SSLVPN that does what you’re wanting to do.

The VPN is terminated on a Windows server and not a firewall like you’re trying to do.

autogyrophilia · March 6, 2025, 10:27am

Consider OpenVPN. Most flexible solution

Ok-Condition6866 · March 6, 2025, 10:27am

I use windows always on vpn with fortigate. Works great.

Anonymous · March 6, 2025, 10:27am

This has been possible since internet connection sharing in server 2003 I believe

Strong reminder, most modern programs removed L2TP

It’s gone from android natively starting in version 12

Here are your likely native options with most vendors

IKEv2/IPSec MSCHAPv2

IKEv2/IPSec PSK

IKEv2/IPSec RSA

thejohncarlson · March 6, 2025, 10:27am

Watchguard L2TP w/radius will work without a client.

jjb1030ca · March 6, 2025, 10:27am

Meraki With Duo mfa . Duo is free up to ten licenses then it’s like $5 a license . Radius is easy to setup and support is good .

RiceeeChrispies · March 6, 2025, 10:27am

Always my favourite if you have a PKI available and are an Intune shop. Helps with the transition away from ADDS to Entra-Joined too (well, until Private Access goes GA…).

Anonymous · March 6, 2025, 10:27am

From your Windows VPN Server, you can also forward the NPS requests to another server (which maybe is setup for Azure or Duo MFA via radius).

Then if it passes MFA that server will send back a happy authentication result completing the windows VPN login.

There’s also Azure VPN client if you go hybrid