DUO AuthProxy with Micorsoft SSTP VPN

bdemontier · ‎05-11-2017

Hi Folks,

I have a support case open with DUO Support, Gabby has been extremely helpful but an issue remains with functionality and I’m wondering if anyone has seen a similar problem. The SSTP VPN server is Windows 2012 R2, the DUO AuthProxy version is 2.4.21.

When connecting from an external source, I am consistently getting 4 DUO replies for the one login session. Eventually, the client errors out with a mismatched configuration between the client and VPN server. If I remove DUO from the equation, it works perfectly.

Has anyone had any experience like this? I’ve been thru the RRAS server but I don’t see where the issue may be located and at this point, I’m at a loss.

Any/all help and advice is greatly appreciated.

Buddy

DuoKristina · ‎05-11-2017

Hello bdemon16,

I took a look at the most recent log you provided, and I notice that you’re running the Duo Authentication Proxy on the same server as NPS/RRAS. While this configuration is technically possible, it’s more difficult to troubleshoot issues with the configuration because many of the tools we’d normally use (like a packet capture) don’t apply to localhost requests.

In the log you sent, I too observed four unique incoming RADIUS authentication requests from 127.0.0.1 for the same user within 9 seconds, with no waiting for an access accept or access reject response from the proxy before initiating the next one. Duo isn’t initiating spurious approval requests, it’s responding once to each of the four unique requests sent to it by RRAS/NPS (which in turn may indicate unique requests from the VPN client to RRAS).

The first thing I’d check is the RADIUS server timeout in RRAS, to ensure it is set to 60 seconds the lifetime of a Duo push request). I think you already confirmed it was, right?

If you append a Duo Mobile generated passcode to your password during VPN login (like password123,123456), then are you connected immediately?

Gabby will reach out to you again to continue working on your open case with some additional suggestions.

Thanks for trying Duo!

Duo, not DUO.

bdemontier · ‎05-12-2017

Hi DuoKristina,
Thanks for getting back to me. I agree with you that the issue/problem would seem to be in the RRAS server. I tried multiple variations yesterday at both the server and client configs but not having much luck. I am in touch with Gabby and plan to move ahead with your suggestion(s) to move the AuthProxy to a separate server, as well as see if I get a different result with passcodes.

Thank you for your advice and assistance.

Buddy

thiagobeier · ‎07-06-2018

our duo setup is fine but we can log on the vpn server after
any tips on that for NPS (network policies or connection request policies) ?

CoId={2728F6D2-FB2A-4CD9-914D-C6401A2F8DE2}: The following error occurred in the Point to Point Protocol module on port: VPN1-127, UserName: domain\myuser. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

debug mode enabled

2018-07-06T15:42:29-0400 [duoauthproxy.lib.log#info] -----------------------------
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] Testing section ‘main’ with configuration:
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] {‘debug’: ‘True’, ‘log_max_files’: ‘10’, ‘log_max_size’: ‘20971520’}
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] There are no connectivity problems with the section.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] -----------------------------
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] Testing section ‘ad_client’ with configuration:
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] {‘debug’: ‘True’,
‘host’: ‘192.168.1.10’,
‘search_dn’: ‘DC=mydomain,DC=local’,
‘security_group_dn’: ‘CN=DuoVPNUsers,OU=Security Groups,OU=Head Office,DC=mydomain,DC=local’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘duoaccount’}
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] The LDAP Client section has no connectivity issues.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] -----------------------------
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] Testing section ‘radius_server_auto’ with configuration:
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] {‘api_host’: ‘■■■■’,
‘client’: ‘ad_client’,
‘debug’: ‘True’,
‘failmode’: ‘safe’,
‘ikey’: ‘MYKEYASFASDFASDFASDF’,
‘port’: ‘1812’,
‘radius_ip_1’: ‘192.168.1.10’,
‘radius_secret_1’: '’,
‘skey’: ‘*****[40]’}
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#warn] The RADIUS Server has connectivity problems.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] The Auth Proxy was able to ping Duo at ■■■■ with a latency of 1307.58218954 milliseconds.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#error] The time drift between the Auth Proxy host and Duo is excessively high, at 1530906289.42 seconds. This could interfere with user authorizations. Ensure the Auth Proxy host’s time is correct, for instance by enabling NTP.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] The Auth Proxy was able to validate the provided API credentials.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] The Connectivity Tool did not run the listen udp check because the actual Authentication Proxy is using that port. If you need this test to run stop the Auth Proxy and try again.
2018-07-06T15:45:05-0400 [duoauthproxy.lib.log#info] -----------------------------

DuoKristina · ‎07-09-2018

@Thiago_Beier,

Be sure that you’re using PAP with SSTP from the VPN client to the RRAS server. If the items already covered in this thread and the RRAS related articles on help.duo.com aren’t helping, don’t hesitate to reach out to Duo Support.

Duo, not DUO.