i have one implementation of ms vpn (sstp, pptp, l2tp) with separate machines
One rras machine (is radius client) and one nps (radius server)
On which machine should install the duo proxy ? .
I have installed (for test) on both machines (one a time)
but it seems is not working.
I was make a proxy config (radius client enabled in section)
The user authenticated without push message. (i have rollout the users)
Any help ?
In this scenario we’d usually recommend you install the Duo proxy server on neither the NPS nor the RRAS server, but instead install it elsewhere. The NPS server is probably already listening on port 1812 so you’d have a conflict, and if installed on the RRAS server the RRAS to Duo proxy communications will happen via loopback, which makes it more difficult to troubleshoot if something is wrong.
You are right
i have already test the proxy on ras (loop back)
So you recommend to install in another machine
and make a forward radius group on nps machine ?
And probably this machine must have an ad_client config ?
Are you following our RRAS instructions? There it describes each setup step in detail.
Yes, but i don’t see anything about nps config.
I suppose that must make a radius group in nps machine
to forward all request to duo proxy and duo is ad client.
But the policy in nps must match first and after forward the request.
You can just point RRAS to the Duo Proxy. That’s what we have documented.
If you wish to still have your RRAS logins go through NPS then yes, you’d need to add RADIUS forwarding on your NPS server.
ok i will make a try
Hi there, I followed the manual at Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security
and here’s what I’m getting DUO AuthProxy with Micorsoft SSTP VPN
I appreciate any help on that without duo MFA we use vpn properly after we make changes to support Duo it stops working at all.
thanks in advance,