I have the wonderful challenge of setting up our Unifi USG to accept connections from individual domain-joined laptops. I got the supported L2TP server working (as I have used this already for months for remote admin access myself), added RADIUS to our domain and gave the USG access to that RADIUS server to authenticate Domain Admins and users of a VPN users security group. This works great!
The problem I face now is that when testing out various GPO deployment techniques I hit a new error. The technique that I found works best for me to automate setting up our VPN connection is by using a logon powershell script. In testing, I did attempt using the network connections option in GPO to deploy the L2TP VPN profile but that would not work as we have to use a Pre-shared Key (per Unifi's supported options) and deploying via a CMAK profile. The CMAK profile does not allow for connection at login so I did not care for this option.
Although I have a successful deployment option, we receive the following error pictured below.
I have not found anything on this error via google and do not know what is causing it. I do not know of any GPOs on the domain that would be causing this or even what could cause this message. Some articles point to this possibly be something to do with MDM and Azure AD. We do have Office365 and sync our users with Azure AD Sync in order to have SSO on O365 but we do not have anything else setup on Azure AD.
When I attempt to connect to the VPN profile added by my powershell command or any other manually added VPN profile They show that error. It is worth noting that I can connect to the VPN just fine when I am at the login screen and choose to login via the VPN. I just can't connect or reconnect when logged in...
Here is the powershell script I am using
Add-VpnConnection -Name "Test" -ServerAddress "vpn.company.org" -TunnelType L2TP -L2tpPsk "my super secret psk" -Force -UseWinlogonCredential $true -AuthenticationMethod MSChapv2 -SplitTunneling $false -EncryptionLevel "Optional"
