Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2761
Views
2
Helpful
4
Replies

RRAS w/2FA and password expiration or changes

Go to solution
DrWats0n
Level 1
Level 1

‎07-17-2018 11:34 AM

Hello,
Here’s our environment:
Win2k8 server R2 SSTP running duo proxy - native Win7 and Win10 clients - setup and working but having an issue related to passwords.

We’ve completed some testing today and it does not appear that password changes are working when connecting to RRAS remotely via Duo 2FA mobile app. Two scenarios tested were

  1. When a domain password expires
  2. When an admin selects “user must change password at next logon”

When not using Duo you get prompted via the native windows client to change your password. When using / requiring 2FA you simply don’t get connected and you don’t get prompted / notified about an issue with your password.

Please advise on how to get this working as this client changes passwords for remote users quite often and if this feature is not available it will impact their workflow considerably.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-18-2018 09:15 AM

Password change is only possible via RADIUS when MSCHAPv2 is used instead of PAP. This requires an upstream RADIUS authenticator (instead of pointing the Duo proxy to an Active Directory DC).

Learn more about this configuration here.

Feel free to contact Duo support for more advice about changing your RADIUS configuration.

Duo, not DUO.

View solution in original post

4 Replies 4

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-18-2018 09:15 AM

Password change is only possible via RADIUS when MSCHAPv2 is used instead of PAP. This requires an upstream RADIUS authenticator (instead of pointing the Duo proxy to an Active Directory DC).

Learn more about this configuration here.

Feel free to contact Duo support for more advice about changing your RADIUS configuration.

Duo, not DUO.

Go to solution
DrWats0n
Level 1
Level 1

‎07-18-2018 10:17 AM

Thank you, Kristina!
I appreciate your help.

0 Helpful

Go to solution
bradb1
Level 1
Level 1

‎12-11-2019 11:03 AM

Hi Kristina,

I realize this is an old post, but we’re experiencing the same issue, users aren’t getting notification that their password will expire until its already expired, then the user can’t authenticate.
This is happening using RADIUS setup on and A.D. DC, i looked over the the solution you provided, but my concern is - MSCHAP and MSCHAPv2 have several exposed weaknesses and are susceptible to brute force attacks.

Are there any other suggestions you may have for getting password notifications to our users while using Duo?

Thank you.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to bradb1

‎12-12-2019 02:17 PM

@bradb,

Sorry, not with RADIUS and the Duo Authentication Proxy performing both primary and secondary auth. The Duo Proxy does not support other methods like EAP-MSCHAPv2 today.

Using the Authentication Proxy as an LDAP server might allow the password change, but it’s not clear to me if you are also using RRAS. I don’t know if you can point RRAS to an alternative LDAP server; I haven’t ever tried. If you are not using RRAS, does your solution support LDAP authentication, or does it support chained authenticators (so you could continue to use AD auth for primary and add Duo auth as secondary onlyy with RADIUS and radius_server_duo_only.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents