Duo Proxy / RRAS using MS-ChapV2

Jeremy Strain · ‎07-19-2021

Hello, I’m trying to setup 2FA using Duo Push with a Windows 2019 RRAS server.

I have everything successfully working using PAP and the [ad_client] setting, but I’m concerned about issues with Windows Updates breaking PAP VPN settings, hence trying to set things up using MS-ChapV2.

I’ve been trying all sorts of config file settings, but I just can’t get things to work. I have NPS installed on the RRAS server, which is 192.168.7.8.

Here is my current config file…

[radius_client]
host=192.168.7.8
secret=XXXXXX
pass_through_all=true

; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)

[radius_server_auto]
ikey=XXXXXX
skey=XXXXXX
api_host=XXXXXX
radius_ip_1=192.168.7.8
radius_secret_1=XXXXXX
failmode=safe
client=radius_client
port=1812

Does anyone have a straightforward guide to getting this working?

DuoKristina · ‎07-20-2021

Can you share exactly what isn’t working? Are the RADIUS access requests getting sent from the Duo proxy to NPS, and do they succeed? Do users receive a Duo Push or phone call 2FA request? Do they approve but the VPN connection fails?

Duo, not DUO.

Jeremy Strain · ‎07-20-2021

No push / calls are generated.

Here is the log from the Duo Proxy (192.168.7.9)…
2021-07-20T12:42:18.109918-0400 [duoauthproxy.lib.log#info] Sending request from 192.168.7.8 to radius_server_auto
2021-07-20T12:42:18.109918-0400 [duoauthproxy.lib.log#info] Received new request id 2 from (‘192.168.7.8’, 49221)
2021-07-20T12:42:18.109918-0400 [duoauthproxy.lib.log#info] ((‘192.168.7.8’, 49221), XXX, 2): login attempt for username ‘XXX’
2021-07-20T12:42:18.109918-0400 [duoauthproxy.lib.log#info] Sending request for user ‘XXX’ to (‘192.168.7.8’, 1812) with id 142
2021-07-20T12:42:26.160065-0400 [duoauthproxy.lib.log#info] Request timeout for (outgoing) id 142. Hosts tried {(‘192.168.7.8’, 1812)}
2021-07-20T12:42:26.160065-0400 [duoauthproxy.lib.log#info] ((‘192.168.7.8’, 49221), XXX, 2): Error performing primary authentication: RADIUS auth request timed out
2021-07-20T12:42:26.160065-0400 [duoauthproxy.lib.log#info] Allow concat is configured, but is not supported with MS-CHAPv2 authentications. Did you try to concatenate your second factor to your password?
2021-07-20T12:42:26.160065-0400 [duoauthproxy.lib.log#info] ((‘192.168.7.8’, 49221), XXX, 2): Returning response code 3: AccessReject
2021-07-20T12:42:26.160065-0400 [duoauthproxy.lib.log#info] ((‘192.168.7.8’, 49221), XXX, 2): Sending response

Here is the log from the RRAS / NPS server (192.168.7.8)…
The remote radius server did not process the authentication request.

Jeremy Strain · ‎07-20-2021

Also, the Duo management console on the website has no entries for attempts, so it appears as though the login requests are never making it to the Duo online account.

As I said earlier, everything works perfectly when using [ad_client] and PAP. The user connects to the VPN, they receive the Duo Push, accept it, and are connected. I just can’t get it to work when using [radius_client].

Jeremy Strain · ‎07-20-2021

RRAS is set to query the Duo Proxy server (192.168.7.9) as a Radius server under “Authentication Provider”. I’ve tried a bunch of different settings under “Authentication Methods”, but I can’t get any of them to work.

In NPS, I have the Duo Proxy server added as a Radius Client. I’m guessing it’s an issue in either Connection Request Policies or Network Policies under NPS.

DuoKristina · ‎07-21-2021

The Duo proxy is sending the primary authentication request to NPS at 192.168.7.8 port 1812 and times out without receiving a response. Check your network connectivity between hosts. Running a capture with something like Wireshark on the Duo proxy server when you try to authentication should help as you’ll see if NPS responds to the outgoing request from the Duo proxy.

Duo, not DUO.