How to setup SMS-only authentication for RRAS

I have setup two application, Microsoft RDP and Microsoft RRAS and both are working fine for my users with the Duo app installed however I have two users with old phones who want to authenticate via SMS.

I setup RDP first, created a custom policy for SMS Passcode-only authentication, assigned into to a group and added the one user who needed to authenticate via SMS to that group. It worked perfectly.

I then setup RRAS and used the same custom policy for this new application, adding my second SMS-only user (he doesn’t need access to the Remote Desktop Server, just VPN access).

Both users failed to authenticate their VPN connection.They just receive the standard “The connection was prevented because of a policy configured on your RAS/VPN server” message.

If I change the authentication method from SMS Passcode to Phone Callback a call is received and the VPN connects successfully.

What am I doing wrong or what have I missed?


Hi @infologicit ,

The Duo for RRAS integration supports append mode (concatenation), so for a user to authenticate via SMS they should enter password,sms in the password field: Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security. Once this is done, the login attempt will fail — the user should log in again with one of the new passcodes.

Please note that append mode only works with PAP, not MS-CHAPv2:

End user guide to Append Mode: Append Mode - Guide to Two-Factor Authentication · Duo Security

Hope this helps!

Hi @DuoPablo ,

Thanks for coming back to me. I tested authentication via SMS and it worked but it was very clunky and I just wanted to check that this was as expected.

I created a new VPN connection through Windows 11. Set the password using the format password,sms as per the end user guide, received my single passcode via SMS, edited my VPN connection to set the new password in the format password,passcode and successfully connected.

All good so far except that this only worked once. Not only that, I had to edit the VPN connection to reset the authentication protocol to PAP before going through the whole process of requesting another passcode via SMS.

Is that what you would expect to happen or am I missing a trick here?



@infologicit This appears to be a behavior specific to the Windows VPN client itself as other Community members have experienced the same thing (and appears to be an issue outside of Duo):

Thanks @DuoPablo , I think the callback feature might be the best solution in this situation then.

Thanks again