Error 919 whe usig duo proxy with RRAS

dataflowe · ‎04-05-2017

Hi all,

Does anybody have some tips for troubleshooting 919 errors when trying to connect to MS RRAS using L2TP with PAP? My server is running Windows server 2012 R2 with RRAS and NPS installed, on the same box as the Duo proxy. The network policy in NPS has been set up to allow only PAP authentication.

In RRAS, I have configured L2TP to use a shared secret. I’ve also installed a server certificate in case it’s still needed with when using secrets instead of certs.

Client in Windows 10, configured for L2TP with PAP and the secret key. When I try to connect I consistently get a 919, with no events on the server or entries in the duo proxy log file.

The interesting thing is, if I set up the server and client to use a different authentication method, like MSCHAP 2, I get a different, more expected failure - I can see in the proxy log file that duo can’t process the password since I’m not using PAP and I do see Windows events showing that NPS rejected the connection.

So when I consider both of these, what I’m thinking this suggests that L2TP is configured OK and my L2TP secret is correct … but I’m running into some kind of issue specific to PAP. Anybody else seen this? Do I need to adjust a security setting someplace to allow PAP on Windows?

My read of the documentation is that PAP is required for this kind of setup. Any chance I’m wrong about that and there is a way to get a different authentication method to work?

dataflowe · ‎04-06-2017

In case anybody else finds this, I figured it out. Turns out that even when NPS is installed it’s still necessary to enable PAP on the RRAS properties as well.