Microsoft RRAS with Duo Mobile problem

Fred06 · ‎11-10-2020

Hi everyone,

I’m testing to set up MFA with DUO Mobile on my VPN server.

Everything works with a normal SSTP connection.

Here is my configuration :

1x : Windows 2019 server : RRAS with (SSTP protocol) (10.10.10.22)
1x: Windows 2019 server: NPS/Radius (10.10.10.23)
1x: Windows 2019 server: Duo Proxy service (10.10.10.24)

When I try to connect my VPN client, I get the following messages in the logs:

2020-11-10T16:57:51+0100 [duoauthproxy.lib.log#info] Duo Security Authentication Proxy 5.1.0 - Init Complete
2020-11-10T16:57:51+0100 [-] RadiusClient starting on 55744
2020-11-10T16:57:51+0100 [-] Starting protocol <duoauthproxy.lib.radius.client.RadiusClient object at 0x000001957A1563D0>
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] Sending request from 192.168.68.22 to radius_server_auto
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] Received new request id 4 from ('192.168.68.22', 52047)
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] (('192.168.68.22', 52047), fidmc\mdm-user1, 4): login attempt for username 'fidmc\\mdm-user1'
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] Sending request for user 'fidmc\\mdm-user1' to ('192.168.68.23', 1812) with id 38
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] Got response for id 38 from ('192.168.68.23', 1812); code 3
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] (('10.10.10.22', 52047), fidmc\mdm-user1, 4): Primary credentials rejected - No reply message in packet
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] (('10.10.10.22', 52047), fidmc\mdm-user1, 4): Returning response code 3: AccessReject
2020-11-10T16:58:30+0100 [duoauthproxy.lib.log#info] (('10.10.10.22', 52047), fidmc\mdm-user1, 4): Sending response

Here is my authproxy.conf file:

[radius_client]
host=10.10.10.23
secret key=XXXXXXXX
pass_through_all=true

[ad_client]
host=10.10.10.10
service_account_username=FIDMC\Administrateur (for test)
service_account_password=mypassword
search_dn=DC=fidmc,DC=ch
security_group_dn=CN=AOVPN_Users,OU=GROUPS,OU=MCH,DC=fidmc,DC=ch

[radius_server_auto]
ikey=my_ikey
skey=my_skey
api_host=my_api_host
radius_ip_1=10.10.10.22
radius_secret_1=radiussecret1
failmode=safe
client=client_radius
port=1812

I also get error 812 in the client’s Event Viewer.

Does anyone know where the error could come from?

Thank’s in advance.

Amy2 · ‎11-10-2020

Hi @Frederic_Viatte, just a heads up that I edited your post to remove your secret key and RADIUS secret. These are unique to your application and account and should be kept private. They should never be shared publicly

I noticed in your config file under [radius_server_auto] you have the client listed as client=client_radius when it should be radius_client instead. Try fixing that and see if it resolves the issue!

Something else I looked into was the error code Primary credentials rejected - No reply message in packet in your AuthProxy log. This help article says to set pass_through_all=true under radius_client to resolve this. However, I see in your config that you have done so already, so that shouldn’t be a problem.

Give my suggestion a try, and if you’re still encountering trouble, I recommend reaching out to Duo Support for further troubleshooting and help.

Fred06 · ‎11-10-2020

Thank you for your quick response!

Thanks for correcting the post, I’ll know for next time

Then indeed the radius_client line was already configured right. I made a mistake in the post.

Here is a quick schematic of the current configuration.

Hopefully it will help to solve the problem.

Thank’s in advance.