DUO AuthProxy with Micorsoft SSTP VPN


#1

Hi Folks,

I have a support case open with DUO Support, Gabby has been extremely helpful but an issue remains with functionality and I’m wondering if anyone has seen a similar problem. The SSTP VPN server is Windows 2012 R2, the DUO AuthProxy version is 2.4.21.

When connecting from an external source, I am consistently getting 4 DUO replies for the one login session. Eventually, the client errors out with a mismatched configuration between the client and VPN server. If I remove DUO from the equation, it works perfectly.

Has anyone had any experience like this? I’ve been thru the RRAS server but I don’t see where the issue may be located and at this point, I’m at a loss.

Any/all help and advice is greatly appreciated.

Buddy


#2

Hello bdemon16,

I took a look at the most recent log you provided, and I notice that you’re running the Duo Authentication Proxy on the same server as NPS/RRAS. While this configuration is technically possible, it’s more difficult to troubleshoot issues with the configuration because many of the tools we’d normally use (like a packet capture) don’t apply to localhost requests.

In the log you sent, I too observed four unique incoming RADIUS authentication requests from 127.0.0.1 for the same user within 9 seconds, with no waiting for an access accept or access reject response from the proxy before initiating the next one. Duo isn’t initiating spurious approval requests, it’s responding once to each of the four unique requests sent to it by RRAS/NPS (which in turn may indicate unique requests from the VPN client to RRAS).

The first thing I’d check is the RADIUS server timeout in RRAS, to ensure it is set to 60 seconds the lifetime of a Duo push request). I think you already confirmed it was, right?

If you append a Duo Mobile generated passcode to your password during VPN login (like password123,123456), then are you connected immediately?

Gabby will reach out to you again to continue working on your open case with some additional suggestions.

Thanks for trying Duo!


#3

Hi DuoKristina,
Thanks for getting back to me. I agree with you that the issue/problem would seem to be in the RRAS server. I tried multiple variations yesterday at both the server and client configs but not having much luck. I am in touch with Gabby and plan to move ahead with your suggestion(s) to move the AuthProxy to a separate server, as well as see if I get a different result with passcodes.

Thank you for your advice and assistance.

Buddy