Alright so bear with me on this but I have exhausted all resources for this problem.
We are currently using small tablets running Windows 10 Pro and have for the past few months been using a VPN to login to our network from outside the office. Previously we had no issues but now whenever the VPN is disconnected or the devices shuts down and goes to sleep the security protocols revert from PAP to MS-CHAP v2. It isn’t a huge issue but having to try and explain this to people who can barely turn on the devices has rendered them helpless. Does anyone know of a fix around this?
I had this issue when it was manually entered. Running a Powershell script is more reliable. An example:
Add-VpnConnection -Name “VPN” -ServerAddress “xxx.xxx.xxx.xxx” -TunnelType “L2tp” -EncryptionLevel “Required” -AuthenticationMethod Pap -UseWinlogonCredential -SplitTunneling -AllUserConnection
Set up through metro or old control panel style? Had an issue where if you ever edited or viewed properties in metro it’d kill it. Had to be done via control.
This is a well known issue with Meraki client VPN. It’s a Windows VPN client issue. I know others have had success in using the RASclient exe instead of using the built in one. What version of Windows are you running? I found my issues mostly prevalent in 1803 and 1809. Once I updated to 1903 and up no issue at all. Hope this gives some insight.
My fix for this was to leave ms-chapv2 ticked and then just tick PAP. So both settings are ticked.
Doing that stopped it reverting from PAP to chap.
Both options remained ticked and the VPN worked as normal.
How did you setup the VPN? Manually, SM or a script?
We had the same problem. We discovered that using rasphone.exe to start/stop the VPN sessions eliminated this strange Win10 issue.
Build the VPN Client with Connection Manager Administration Kit. The settings won’t revert and it locks the Client down nicely so users can futz with it.
I had seen that mentioned in some of the Meraki threads. I’m not as well versed in powershell but how difficult would it be to make the script?
This fixed it completely. Thank you.
Manually. We actually have two but the second (newer) requires everyone to use Microsoft Authenticator to complete the connection which is a pain in the ass for those less technologically inclined.