RRAS MSCHAPv2 and authentication methods

Exonix · 2016-10-07 13:22:45 UTC

Hi,
we are using a RRAS VPN server on Windows Server 2012 R2 for our Windows 10 and OS X users. The authentication method on RRAS is MSCHAPv2.
Now users authenticates over DUO Push (and maybe Duo CallBack, i didn’t try yet).

Can we use the hardware tokens as well?
as i know, Windows 10 doesn’t support OPT.
I’m not sure about OS X, whether it supports OTP as well.

Thank you!

gleezy · 2016-10-07 13:40:13 UTC

Hey Exonix,

To use other auth methods in your setup, try Append Mode

https://guide.duosecurity.com/append-mode

Cheers

Exonix · 2016-10-07 14:49:22 UTC

sorry, i didn’t understand… this is my config of DUO:

[radius_client]
host=192.168.0.16
secret=YYYYYYYY

[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXXXX
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=XXXXXXXXX.duosecurity.com
radius_ip_1=192.168.0.20
radius_secret_1=YYYYYYYY
failmode=safe
client=radius_client
port=1812

in default policy is enabled the Duo Mobile passcodes only.
i try to connect, enter my password,passcode from DUO Mobile app, and getting an error:

2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Sending request from 192.168.0.20 to radius_server_auto
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Received new request id 67 from (‘192.168.0.20’, 53436)
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] ((‘192.168.0.20’, 53436), 67): login attempt for username u’user.name’
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Sending request for user u’user.name’ to (‘192.168.0.16’, 1812) with id 137
2016-10-07 16:40:26+0200 [RadiusClient (UDP)] Got response for id 137 from (‘192.168.0.16’, 1812); code 2
2016-10-07 16:40:26+0200 [RadiusClient (UDP)] http POST to https://XXXXXXXXX.duosecurity.com:443/rest/v1/preauth
2016-10-07 16:40:26+0200 [-] Starting factory <_DuoHTTPClientFactory: https:/XXXXXXXXXXX.duosecurity.com:443/rest/v1/preauth>
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Got preauth result for: u’auth’
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): User has no Duo factors usable with this configuration
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Returning response code 3: AccessReject
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Sending response
2016-10-07 16:40:26+0200 [-] Stopping factory <_DuoHTTPClientFactory: https://XXXXXXXXXXX.duosecurity.com:443/rest/v1/preauth>

gleezy · 2016-10-07 17:37:06 UTC

Hey Exonix,

Duo says your user has no usable devices with which to auth.

My guess is that you have Duo Mobile enabled for your Duo Administrator account, but not your end user ‘user.name’.

Make sure your end user account is enrolled and has Duo Mobile active: https://duo.com/docs/enrolling_users#manual-enrollment

In the mobile app, you will have two accounts listed. One for “Admin” access to the Duo console, and one for end user access to applications like RRAS.

Going forward - you should contact support for troubleshooting issues such as this one.

Cheers

Exonix · 2016-10-09 10:16:23 UTC

no, he is enrolled.
When he has a Duo Push authentication only, then he can authenticate.
When he has a Duo Mobile passcodes authentication only, then he can not authenticate.

Dooley · 2016-10-10 13:44:01 UTC

Hi Aleks,

As Gleezy indicated, you’ll need to contact Duo Support to troubleshoot this issue further. https://duo.com/support

Thanks,
Andrew

Exonix · 2016-10-16 09:16:16 UTC

Hi,
i asked support. They answered, that with MSCHAPv2 works only Duo Push and Duo Callback.
Or i could use challenge responses if my VPN clients are supporting it.
i’m using Windows 10 VPN client and OS X 10.11 VPN Client.
How can i configure them for the challenge responses? i don’t know whether they are supporting it.

gleezy · 2016-11-04 13:26:18 UTC

Hey Exonix,

To use challenge response mode with Authproxy, change your server section header to read [radius_server_challenge].

https://duo.com/docs/authproxy_reference#radius-challenge

You will need to configure a [radius_client] section as well if you still want to use MS-CHAPv2.

Cheers

Exonix · 2016-11-04 14:25:03 UTC

Hi Gleezy,
i configured RRAS with MS RADIUS to support PAP and MSchapV2 at the same time. Working config:
[radius_client]
host=10.10.10.73
secret=123456

[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXXXXXXXXXXX
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=YYYYYYYYY.duosecurity.com
radius_ip_1=10.10.10.231
radius_secret_1=123456
failmode=safe
client=radius_client
pass_through_all=true
allow_concat=true
port=1812

[main]
debug=true

it works for Windows 10 and OS X 10.11

thank you!