Can't get VPN working with RRAS

rkoett · ‎04-12-2018

Trying to get my initial configuration working for L2TP VPN using Microsoft RRAS. When I try to connect the message on the client says:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.”

Although this message is indeed very specific, I think it may not be describing the actual problem. I have the authentication set to only PAP at both ends.

Perhaps someone can help me interpret the following from authproxy.log on the server?

2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Sending request from 127.0.0.1 to radius_server_auto
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Received new request id 1 from (‘127.0.0.1’, 61327)
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] ((‘127.0.0.1’, 61327), 1): login attempt for username u’ESS\Richard’
2018-04-12T17:18:30-0700 [DuoForwardServer (UDP)] Sending AD authentication request for ‘ESS\Richard’ to ‘dc1.ess.local’
2018-04-12T17:18:30-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x02986490>
2018-04-12T17:18:30-0700 [_ADAuthClientProtocol,client] http POST to https://■■■■:443/rest/v1/preauth
2018-04-12T17:18:30-0700 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2018-04-12T17:18:30-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x02986490>
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Got preauth result for: u’enroll’
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Returning response code 3: AccessReject
2018-04-12T17:18:30-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘127.0.0.1’, 61327), 1): Sending response
2018-04-12T17:18:30-0700 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>

DuoKristina · ‎04-13-2018

The log output shows the following:

The Duo proxy server was able to verify the credentials for “Richard” against AD.
The Duo proxy server contacted the Duo cloud service.
“Richard” is not enrolled in Duo (meaning there is no “Richard” user with a 2FA factor in Duo), so the return response was enroll.
“Richard” was rejected by the Duo cloud service, as an unenrolled user can’t authenticate with RADIUS auto config.

You need to enroll “Richard” in Duo before authenticating. Learn how here: Duo Enrollment - Enrolling Users | Duo Security.

I see that’s not obvious from the Duo RRAS instructions, and will make sure that’s noted.

Thanks for trying Duo!

Duo, not DUO.

rkoett · ‎04-13-2018

Thanks very much for your assistance. I have finally been able to establish a VPN connection, but for some reason when connecting I get 4 prompts to accept in rapid succession. I quickly clicked approve on all 4, but it this necessary or normal?

rkoett · ‎04-13-2018

Ah, never mind. I found a timeout setting that I increased to eliminate the rapid-fire prompts. A screenshot is attached.

DuoKristina · ‎04-16-2018

The lifetime for a Duo Push request to the Duo mobile app is 60 seconds, so you might want to match that in RRAS (to make sure that your users get enough time to approve the push request before it initiates another auth attempt).

Duo, not DUO.