Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3844
Views
0
Helpful
6
Replies

Session Timeout with RRAS on server 2008 r2

tangobravo
Level 1
Level 1

‎02-08-2019 07:32 AM

I have duo working with 2008 r2 RRAS for vpn access but I cannot figure out how to create a day/time restrictions and session timeout. Looks like with RADIUS selected the NPS policies are ignored.

My problem is exactly like this article:
https://social.technet.microsoft.com/Forums/en-US/2eeaa31f-eb5b-4508-b060-c4535faf00b8/rras?forum=winservergen

Can anyone point me in the right direction?

I have followed these instructions to get it working thus far:

Labels:
0 Helpful
6 Replies 6

jrp78
Level 1
Level 1

‎02-11-2019 07:49 AM

I have the exact same issue on Server 2016. The session timeout is being ignored. I have the Duo Proxy Authentication software/service running on a separate server. Any way to enforce the session timeout?

0 Helpful

jrp78
Level 1
Level 1
In response to jrp78

‎02-11-2019 09:42 AM

I found this article and at the end it says MS is aware of it and there is no fix currently.
https://social.technet.microsoft.com/Forums/en-US/113cdbd0-7368-4d7e-b860-48899eb55827/nps-as-a-radius-server65292the-network-policys-are-not-enforced-sometime?forum=winserverNAP

As a workaround, I wrote the following powershell script and configured it to run as a scheduled task on my VPN server. I have it set to run every 5 minutes. Our policy is to sever connections after 4 hours.

#Using Radius/2FA breaks NPS policy so the session policy does not work in RRAS
#This script will disconnect VPN users connected longer than 4 hours

$vpnusers = Get-RemoteAccessConnectionStatistics | where {$_.connectionduration -ge 14400} 
| select -ExpandProperty UserName
foreach($user in $vpnusers){Disconnect-VpnUser -UserName $user}

#Code for testing
#foreach($user in $vpnusers){write-host $user}
0 Helpful

bspicer
Level 1
Level 1
In response to jrp78

‎10-28-2020 07:35 AM

Thanks for writing this. I’m the one that opened a ticket with Microsoft that tangobravo mentioned. How could I change your script to disconnect everyone at 2 AM? Would I just take out the piped where clause and run it at 2AM?

We don’t have a max session policy but currently I’m rebooting the server every night to knock everyone off and I’d like to avoid rebooting the server so much.

I do wish the inactivity policy worked. Tough to get accurate logout times using RRAS.

0 Helpful

jrp78
Level 1
Level 1
In response to bspicer

‎10-28-2020 08:22 AM

Would I just take out the piped where clause and run it at 2AM?

Yep, that shoud do the trick

0 Helpful

tangobravo
Level 1
Level 1

‎02-11-2019 10:07 AM

jrp78,

Thanks that might be something I can work with.

0 Helpful

bspicer
Level 1
Level 1

‎10-28-2020 08:40 AM

Got it to work. Thanks much.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents