Wifi authenticate NPS with DUO MFA

Protecting Applications forum Authentication Proxy
#1

Hi All,

I’m new to DUO, trying to set up DUO as MFA for our WIFI.
Background: Guest wifi and WPA-Enterprise ( Staff wifi) with our NPS Server.
Only 1 server running AD, DNS, and NPS.
Tried the guide: https://help.duo.com/s/article/4785?language=en_US
config as below
[ad_client]
host=10.10.10.12
service_account_username=administrator
service_account_password=password
search_dn=DC=awh,DC=local

[radius_client]
host=10.10.10.12
secret=password
pass_through_all=true
port=1812

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=10.10.10.12
radius_secret_1=password
failmode=safe
client=radius_client
port=1812

I’m puzzling over the radius client IP address. Is it referring to my NPS or authentication proxy?
It’s installed on the same server.
Come back with a warning after hitting validation.

[warn] We cannot confirm that the Auth Proxy was able to establish a RADIUS connection to 10.10.10.12:1812. In the case of an actual failure, this may be due to a misconfigured secret or network issues. This may also happen if the upstream RADIUS Server does not support the Status-Server message

Need help…

#2

Hi @Jameslim89! The radius_ip_1 refers to the IP address of the appliance that is connected to the Authentication Proxy, so in this case, that would be your NPS. I believe you have this configured correctly. You can always follow up with the Duo Support team to be sure!

This error message is benign and can be disregarded in the event that you are using a RADIUS server that does not support Status-Server responses such as NPS (more info here). You should be good to go with this.

#3

Hi @Jameslim89 ,

This config says the Duo Authentication Proxy is listening for RADIUS requests on 1812 (in radius_server), but will also send them to NPS on 1812 (in radius_client).

Obviously both NPS and the Duo proxy can’t both be listening on 1812 at the same time.

We don’t recommend colocating the Duo proxy with NPS or the DC role, but if you must then you will need to make sure the Duo proxy uses a different port for RADIUS than NPS does. So, if NPS is already using 1814 then change the [radius_server_auto] port value to something else, like port=1814, and then in NPS update the RADIUS properties for the Duo proxy client you added to use that new port.

1 Like