Duo Two Factor Authentication -Microsoft Routing and Remote Access (RRAS) Server.

Setting up Duo Two Factor Authentication with Microsoft Routing and Remote Access (RRAS) Server:

We installed the Duo Proxy on a separate server than the Microsoft RRAS server. We couldn’t get it to work on the same server. When we ran it on the same server, we were getting errors like the following:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

RRAS Server is Windows Server 2012 R2.  In our case RRAS happened to be a Domain Controller (doesn’t have to be – but made things easier).

RRAS was already configured and working for VPN client.  People were VPN/PPTP to it but we wanted to implement Duo two factor authentication to add another layer of security to VPN.

Clients were remoting into the RRAS server using Microsoft PPTP client that is built into Windows machine (could be working using SSTP or L2TP).

By the way we didn’t have to do anything with Windows Network Policy Server NPS. NPS had no role in this kind of setup.

On the Duo portal we chose to protect Microsoft RRAS server. You could find it in the list of Application to protect.

The Duo proxy final config file authproxy.cfg looked like the following:

——————-

[ad_client]
host=10.10.10.10   (This is the IP address of the Domain Controller not the RRAS server – But happened to be the RRAS server in our case)
service_account_username=DuoUser  (Created this user in the domain for Duo to use)
service_account_password=Password123  (Password for the DuoUser)
search_dn=DC=LocalDomain,DC=com  (Our local Windows domain was called LocalDomain.com)
security_group_dn=CN=DuoVPNUsers,OU=Company,DC= LocalDomain,DC=com (Created a Windows Security Group in AD called DuoVPNUsers and stored it inside an OU called Company – We created the OU and called it that name “Company”. VPN’d users Windows accounts need to be added to this security group. We placed DuoVPNUsers group and DuoUser inside the Company OU – We intend to be placing VPN users inside that OU).

[radius_client]
host=10.10.10.10  (This is the RRAS server IP)
secret=PickASecretPasswordHere  (This is kind of a password that will be used between the RRAS and the Duo Proxy. Make something up.  Use complex passwords for security)

[radius_server_auto]
ikey=xxxxxxxxxxxxxx (This is obtained from the Duo Portal)
skey=yyyyyyyyyyyyyyy (This is obtained from the Duo Portal)
api_host=zzzzzzz.duosecurity.com (This is also obtained from the Duo portal)
radius_ip_1=10.10.10.10 (This is the IP address of RRAS Server)
radius_secret_1= PickASecretPasswordHere  (matches the one above)
client=ad_client
port=1812
pass_through_all=true
allow_concat=true

——————

Open Routing and Remote Access on the RRAS server. Right-click on the Server and choose Properties. Go to the 2nd tab that is called Security, and under Authentication Provider choose Radius Authentication (change it from Windows Authentication). Click Configure. Click Add
Server name would be the IP address of the server where the duo proxy software is installed. In our case it was 10.10.10.40.
Time out change to 60 secs so you would have enough time to respond to the Duo pushed messages.
Shared Secret is the secret/password that you used in the authproxy.cfg file.  Must match.
Port 1812 – this is the default and should match the one in authproxy.cfg under [radius_server_auto] section. Click OK to add it.

Also under the Security tab click on Authentication Method. Make sure “Unencrypted password (PAP)” is checked off.  This should match the one you have in the property of the VPN connection on the client Windows machine (the machines that you and your clients use to VPN in), under Security, PAP is also checked off for authentication under “Allow these protocols” Make sure Microsoft CHAP Version 2 (MS-CHAP v2) is Unchecked off. Checking off Challenge Handshake Authentication Protocol CHAP (not v2) seemed to work too.

If you find this article helpful, please click to like our Facebook page below so we can keep on adding quality hands-on articles.