Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3355
Views
1
Helpful
3
Replies

Duo with multiple NPS network policies

Phil Bradley
Level 4
Level 4

‎12-12-2018 11:48 AM

Is it possible to have the Duo radius client integrate with multiple NPS policies? For example, I have a policy on NPS for VPN users and another for network device admins. In NPS the radius client gets assigned a friendly name and then that name gets matched to a policy. Since the duo server is only one device then it gets mapped to a common friendly name on the NPS server which would always match one policy.

Labels:
0 Helpful
3 Replies 3

Phil Bradley
Level 4
Level 4

‎12-12-2018 08:58 PM

I did find a solution to my problem and in case anyone else is interested this is what I did.

Microsoft NPS can only have one radius client with the same IP. I added the duo server as the client with a friendly name.

In my NPS policies I added the friendly name as a requirement and also added NAS ipv4. I setup multiple radius clients in duo config and in each one I added nas_ip= to some unique value. This way the policy could get selected based on this value.

mshalim
Level 1
Level 1
In response to Phil Bradley

‎02-25-2019 07:56 AM

Hello pbradley435,
I am interested in doing something similar, can you post a sample config file of how you set this up, thanks

0 Helpful

rbrian
Level 1
Level 1

‎05-13-2023 08:43 PM

I realize this is an old post, but I also found this post while trying to find out how to configure Duo to work with multiple NPS policies.

Piggy backing off pbradley’s previous post, here’s an article you’ll want to reference:
Can the Duo Authentication Proxy include multiple client sections?
https://help.duo.com/s/article/2216?language=en_US

Basically, you can create multiple [radius_server_auto] and [radius_client] sections and assign them to the particular service you are looking to protect. These Duo configurations are pointed to a particular NPS policy via the “nas_ip” radius_client option.

– create a [radius_server_auto2] and [radius_client2] section
----change “client=” to use your new radius_client2
– in [radius_client2], add nas_ip=some unique value

In NPS, you configure your multiple policies, and add a “Condition” for “NAS IPv4 Address” to the same unique value. I used 1.1.1.1 for my first [radius_client], 2.2.2.2 for my second [radius_client2]. I did not use friendly names.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents