Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2809
Views
1
Helpful
8
Replies

DUO Auth proxy for MS VPN

chv
Level 1
Level 1

‎06-20-2018 04:23 AM

Hi
i have one implementation of ms vpn (sstp, pptp, l2tp) with separate machines
One rras machine (is radius client) and one nps (radius server)
On which machine should install the duo proxy ? .
I have installed (for test) on both machines (one a time)
but it seems is not working.
I was make a proxy config (radius client enabled in section)
The user authenticated without push message. (i have rollout the users)
Any help ?
Thanks

Labels:
0 Helpful
8 Replies 8

DuoKristina
Cisco Employee
Cisco Employee

‎06-20-2018 06:07 AM

In this scenario we’d usually recommend you install the Duo proxy server on neither the NPS nor the RRAS server, but instead install it elsewhere. The NPS server is probably already listening on port 1812 so you’d have a conflict, and if installed on the RRAS server the RRAS to Duo proxy communications will happen via loopback, which makes it more difficult to troubleshoot if something is wrong.

Duo, not DUO.
0 Helpful

chv
Level 1
Level 1
In response to DuoKristina

‎06-20-2018 06:24 AM

You are right
i have already test the proxy on ras (loop back)
without success.
So you recommend to install in another machine
and make a forward radius group on nps machine ?
And probably this machine must have an ad_client config ?
Thanks

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to chv

‎06-20-2018 06:29 AM

Are you following our RRAS instructions? There it describes each setup step in detail.

Duo, not DUO.
0 Helpful

chv
Level 1
Level 1
In response to DuoKristina

‎06-20-2018 07:04 AM

Yes, but i don’t see anything about nps config.
I suppose that must make a radius group in nps machine
to forward all request to duo proxy and duo is ad client.
But the policy in nps must match first and after forward the request.
Correct ?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to chv

‎06-20-2018 07:23 AM

You can just point RRAS to the Duo Proxy. That’s what we have documented.

If you wish to still have your RRAS logins go through NPS then yes, you’d need to add RADIUS forwarding on your NPS server.

Duo, not DUO.
0 Helpful

chv
Level 1
Level 1
In response to DuoKristina

‎06-20-2018 08:11 AM

ok i will make a try
thanks

0 Helpful

thiagobeier
Level 1
Level 1

‎07-08-2018 12:41 PM

Hi there, I followed the manual at Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security
and here’s what I’m getting DUO AuthProxy with Micorsoft SSTP VPN
I appreciate any help on that without duo MFA we use vpn properly after we make changes to support Duo it stops working at all.

thanks in advance,
Thiago B.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to thiagobeier

‎07-09-2018 08:55 AM

@Thiago_Beier,

There’s not enough information here to know what issues you’re seeing. I encourage you to reach out to Duo Support for one to one troubleshooting assistance.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents