Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
1
Helpful
2
Replies

Wifi authenticate NPS with DUO MFA

owen2
Level 1
Level 1

‎04-06-2022 12:19 AM

Hi All,

I’m new to DUO, trying to set up DUO as MFA for our WIFI.
Background: Guest wifi and WPA-Enterprise ( Staff wifi) with our NPS Server.
Only 1 server running AD, DNS, and NPS.
Tried the guide: https://help.duo.com/s/article/4785?language=en_US
config as below
[ad_client]
host=10.10.10.12
service_account_username=administrator
service_account_password=password
search_dn=DC=awh,DC=local

[radius_client]
host=10.10.10.12
secret=password
pass_through_all=true
port=1812

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=10.10.10.12
radius_secret_1=password
failmode=safe
client=radius_client
port=1812

I’m puzzling over the radius client IP address. Is it referring to my NPS or authentication proxy?
It’s installed on the same server.
Come back with a warning after hitting validation.

[warn] We cannot confirm that the Auth Proxy was able to establish a RADIUS connection to 10.10.10.12:1812. In the case of an actual failure, this may be due to a misconfigured secret or network issues. This may also happen if the upstream RADIUS Server does not support the Status-Server message

Need help…

Labels:
0 Helpful
2 Replies 2

Amy2
Level 5
Level 5

‎04-13-2022 06:13 AM

Hi @Jameslim89! The radius_ip_1 refers to the IP address of the appliance that is connected to the Authentication Proxy, so in this case, that would be your NPS. I believe you have this configured correctly. You can always follow up with the Duo Support team to be sure!

This error message is benign and can be disregarded in the event that you are using a RADIUS server that does not support Status-Server responses such as NPS (more info here). You should be good to go with this.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎04-13-2022 01:06 PM

Hi @Jameslim89 ,

This config says the Duo Authentication Proxy is listening for RADIUS requests on 1812 (in radius_server), but will also send them to NPS on 1812 (in radius_client).

Obviously both NPS and the Duo proxy can’t both be listening on 1812 at the same time.

We don’t recommend colocating the Duo proxy with NPS or the DC role, but if you must then you will need to make sure the Duo proxy uses a different port for RADIUS than NPS does. So, if NPS is already using 1814 then change the [radius_server_auto] port value to something else, like port=1814, and then in NPS update the RADIUS properties for the Duo proxy client you added to use that new port.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents