RRAS w/2FA and password expiration or changes


Here’s our environment:
Win2k8 server R2 SSTP running duo proxy - native Win7 and Win10 clients - setup and working but having an issue related to passwords.

We’ve completed some testing today and it does not appear that password changes are working when connecting to RRAS remotely via Duo 2FA mobile app. Two scenarios tested were

  1. When a domain password expires
  2. When an admin selects “user must change password at next logon”

When not using Duo you get prompted via the native windows client to change your password. When using / requiring 2FA you simply don’t get connected and you don’t get prompted / notified about an issue with your password.

Please advise on how to get this working as this client changes passwords for remote users quite often and if this feature is not available it will impact their workflow considerably.


Password change is only possible via RADIUS when MSCHAPv2 is used instead of PAP. This requires an upstream RADIUS authenticator (instead of pointing the Duo proxy to an Active Directory DC).

Learn more about this configuration here.

Feel free to contact Duo support for more advice about changing your RADIUS configuration.


Thank you, Kristina!
I appreciate your help.