Cisco DUO on Microsoft RRAS server without AD

emilije · ‎10-27-2021

Hi to all, my first post here

I have setup with 9 local (non AD) users, Windows Server 2012 Foundation and RRAS role. I would like to strengthen our security by implementing Cisco DUO as described Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security
We don’t have Active Directory set!

Is it possible to implement Cisco DUO without AD?

Many thanks!!

DuoKristina · ‎10-27-2021

I don’t think you can do this with Duo.

While the Duo Authentication Proxy supports Duo-only authentication over RADIUS (where the Duo proxy does not attempt primary credential verification and only performs two-factor auth), IIRC there isn’t an option in RRAS to chain local primary authentication (for your non-AD users) to external secondary authentication (like adding Duo for 2FA-only via RADIUS).

Even Microsoft’s own MFA solution for RRAS requires use of an external RADIUS server (NPS) and Active Directory.

Granted, it’s been a few years since I looked closely at RRAS and that was enough to make me never want to look again. If someone in the community has more up-to-date info about chaining authentication in RRAS hopefully They’ll chime in.

Duo, not DUO.

emilije · ‎10-27-2021

Many thanks for the info! just to clarify; RRAS is already set and my local users are using it.

It’s not a problem to set AD, but i would like to avoid complicating things if it is not necessary.