04-12-2018 05:39 PM
Trying to get my initial configuration working for L2TP VPN using Microsoft RRAS. When I try to connect the message on the client says:
“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”
Although this message is indeed very specific, I think it may not be describing the actual problem. I have the authentication set to only PAP at both ends.
Perhaps someone can help me interpret the following from authproxy.log on the server?
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Sending request from 127.0.0.1 to radius_server_auto
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Received new request id 1 from (‘127.0.0.1’, 61327)
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] ((‘127.0.0.1’, 61327), 1): login attempt for username u’ESS\Richard’
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Sending AD authentication request for ‘ESS\Richard’ to ‘dc1.ess.local’
2018-04-12T17:18:30-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x02986490>
2018-04-12T17:18:30-0700 [_ADAuthClientProtocol,client] http POST to https://■■■■:443/rest/v1/preauth
2018-04-12T17:18:30-0700 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2018-04-12T17:18:30-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x02986490>
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Got preauth result for: u’enroll’
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Returning response code 3: AccessReject
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Sending response
2018-04-12T17:18:30-0700 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>
04-13-2018 07:42 AM
The log output shows the following:
enroll
.You need to enroll “Richard” in Duo before authenticating. Learn how here: Duo Enrollment - Enrolling Users | Duo Security.
I see that’s not obvious from the Duo RRAS instructions, and will make sure that’s noted.
Thanks for trying Duo!
04-13-2018 11:46 AM
Thanks very much for your assistance. I have finally been able to establish a VPN connection, but for some reason when connecting I get 4 prompts to accept in rapid succession. I quickly clicked approve on all 4, but it this necessary or normal?
04-13-2018 01:37 PM
Ah, never mind. I found a timeout setting that I increased to eliminate the rapid-fire prompts. A screenshot is attached.
04-16-2018 01:54 PM
The lifetime for a Duo Push request to the Duo mobile app is 60 seconds, so you might want to match that in RRAS (to make sure that your users get enough time to approve the push request before it initiates another auth attempt).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide