Microsoft RRAS - authentication mismatch?

Still on the free tier for now, but testing everything before we roll out.

Set up an 2016 RRAS server and have L2TP and SSTP working fine. Set up Duo per the instructions at Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security and when a user tries to connect, get this in the event viewer and never get a push.

The following error occurred in the Point to Point Protocol module on port: VPN1-127, UserName: mvalpreda. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Originally the authentication was MS-CHAP v2 on L2TP and SSTP. I kept that and then ticked CHAP - did that both in RRAS and on the client. I just did CHAP on both the client and server. Keep getting the error above in Event Viewer.

Seeing this on the Duo proxy server

2019-10-25T18:22:33-0700 [DuoForwardServer (UDP)] Sending request from 10.0.60.104 to radius_server_auto
2019-10-25T18:22:33-0700 [DuoForwardServer (UDP)] Received new request id 1 from (‘10.0.60.104’, 57356)
2019-10-25T18:22:33-0700 [DuoForwardServer (UDP)] ((‘10.0.60.104’, 57356), mvalpreda, 1): login attempt for username u’mvalpreda’
2019-10-25T18:22:33-0700 [DuoForwardServer (UDP)] Sending AD authentication request for ‘mvalpreda’ to ‘addns02.domain.local’
2019-10-25T18:22:33-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x0369BDB0>
2019-10-25T18:22:33-0700 [_ADAuthClientProtocol,client] http POST to https://285d6b92.duosecurity.com:443/rest/v1/preauth
2019-10-25T18:22:33-0700 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://285d6b92.duosecurity.com:443/rest/v1/preauth>
2019-10-25T18:22:33-0700 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x0369BDB0>
2019-10-25T18:22:33-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] Duo preauth call failed
Traceback (most recent call last):
File “twisted\internet\defer.pyc”, line 654, in _runCallbacks
File “twisted\internet\defer.pyc”, line 1475, in gotResult
File “twisted\internet\defer.pyc”, line 1416, in _inlineCallbacks
File “twisted\python\failure.pyc”, line 512, in throwExceptionIntoGenerator
— —
File “duoauthproxy\lib\radius\duo_server.pyc”, line 111, in preauth
File “twisted\internet\defer.pyc”, line 1416, in _inlineCallbacks
File “twisted\python\failure.pyc”, line 512, in throwExceptionIntoGenerator
File “duoauthproxy\lib\duo_async.pyc”, line 246, in preauth
File “twisted\internet\defer.pyc”, line 1418, in _inlineCallbacks
File “duoauthproxy\lib\duo_async.pyc”, line 205, in call
File “duoauthproxy\lib\duo_async.pyc”, line 220, in _parse_response

duoauthproxy.lib.duo_async.■■■■■■■■■■■■■■■■■■■■r: 40102: Invalid integration key in request credentials

2019-10-25T18:22:33-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.0.60.104’, 57356), mvalpreda, 1): Failmode Secure - Denied Duo login on preauth failure
2019-10-25T18:22:33-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.0.60.104’, 57356), mvalpreda, 1): Returning response code 3: AccessReject
2019-10-25T18:22:33-0700 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘10.0.60.104’, 57356), mvalpreda, 1): Sending response
2019-10-25T18:22:33-0700 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://285d6b92.duosecurity.com:443/rest/v1/preauth>

mvalpreda is an alias for an enrolled user, but not see any authentication logs for that user in the admin portal.

Is there something I need to change on the NPS server?

40102: Invalid integration key in request credentials

The most common cause of this error is that the ikey, skey, or host information is not correct in the authproxy.cfg file.

If you’ve already checked that, please contact Duo Support for additional troubleshooting assistance. They’ll want to review debug log output not advisable for sharing in our public community forum.