Windows 2012R2 RRAS + DUO

I can’t get DUO to trigger. I can connect to VPN but never hit DUO Proxy Server.

Server #1 - DUO Proxy Installed

Server #2 - Windows Server RRAS + NPS

Here is a cleansed version of my config file. Does this hold water? Missing anything?

[radius_client]
host=XXX.XXX.XXX.XXX (I am assuming this is the IP of Server #1 a.k.a DUO) yes/no anyone?
secret=007secret

[ad_client]
host=DomCtrlr1
host_2=DomCtrlr2
host_3=DomCtrlr3
service_account_username=serviceaccountname
service_account_password=serviceaccountpassword
search_dn=DC=computer,DC=com
security_group_dn=CN=Group,OU=OrgUnit,DC=computer,DC=com

[radius_server_auto]
ikey=xxxxxxx
skey=xxxxxxx
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
factors=push
api_timeout=0
radius_ip_1=XXX.XXX.XXX.XXX (I am assuming this is the IP of Server #2 a.k.a RRAS+NPS) yes/no anyone?
radius_secret_1=007secret
failmode=safe
client=ad_client
port=1812

RRAS Security/Authentication Method Screenshot

RRASSecAuth

NPS Connection Request Policy Screenshot

NPSConReqPol

Network Policy Screenshot

NPSNetPol

WIN 10 VPN Client Settings (Security Tab)
Type of VPN: L2TP/IPsec
Advanced settings: Preshared key
Data encryption: Optional
Authentication: Allow these protocols: PAP (all others not selected/cleared)

Duo Mobile App
Installed on iPhone 10, registered, enrolled

External Firewall
Inbound rules configured correctly - I can connect, but not hitting DUO

I have followed so many guides and I end up at the same location. Any insight out there?

Many thanks!

Are you still having issues? I might be able to help.

I am in the process of reconfiguring the RRAS server, and would love your feedback. Thank you!

I believe one of the things that hung me up was the account running the DUO Proxy service. The account running the service needed AD access for something. I’m trying to remember why I did this(shame on me, no notes on that part). I created a service account on the domain for it. Side note, if this is part of your problem, every DUO proxy software upgrade overwrites the account and I have to go change it back to the AD account.

I just compared my cfg to yours and here are some differences I found.

  1. I don’t have a [radius_client] section at all.
  2. host=domain.com (you don’t have to specify DC’s individually, it will find one on its own)
  3. radius_ip_1=XXX.XXX.XXX.XXX (I am assuming this is the IP of Server #2 a.k.a RRAS+NPS ) yes/no

I’ll look over the RRAS config shortly when I have some more time.

Thank you jrp78.

I also have a domain service account created for DUO.

I have tried so many variations of the config - with [radius_client], without [radius_client]. Nothing seems to hit the service.

The process should happen (I think, correct me if I am wrong) like so:

  1. User connects on Win 10, or MAC OS with VPN client configured for SSTP & PAP Auth
  2. The router/firewall receives the request and routes it to the RRAS server
  3. The RRAS references the radius client (DUO service) and pushes the request to the DUO Service
  4. The DUO sends a push notification to the user’s phone
  5. The user agrees
  6. DUO sends the confirmation back to the RRAS and the user connects

I am not sure if any of the DUO activity is happening.

You are exactly right. Have looked at the DUO proxy logs, is the request even getting that far?
By default, they are located at c:\Program Files (x86)\Duo Security Authentication Proxy\log

I find no evidence of activity from the user request

So it sounds like to me the request is not making it from the RRAS server to the radius server(duo proxy).
Do you have this part of RRAS configured to point to the radius server?
Also, I DO NOT have a Connection Request Policy at all.
EDIT: I’m on Server 2016, I’m not sure where you add the radius IP in 2012.

Yes, my RRAS Security Config is identical to yours. I feel I am so close. I have the correct SSL in place and when I test via a Win 10 client, it times out after verifying sign-in creds, so perhaps a wall between the Duo sec and my Domain Controller.

Built from scratch today - so I am well practiced with the steps. Thank you kindly for your reply.

There are some known issues through all of Win10 with the “popup” WIFI/VPN screen in the lower right hand corner and trying to connect from there – especially Win10 1903. As a test, create a shortcut on your desktop to your VPN connection and put this as the command for the shortcut.

rasphone.exe -d “vpn connection name