Windows Built-In VPN Client Issues

shedev · January 2, 2021, 8:35pm

Has anyone seen this before, and if so, what is the cure?

Action needed, but no system prompt, no DUO prompt.

Ultimately times out. I am curious as to why there is a request for action, but no push and no next steps.

I can add a basic framework of my setup for reference.
Configuration Elements

Peplink Balance One Core edge router
Server 2012 R2 Domain Controller with NAP
Server 2019 VPN Server with RRAS + NAP + DUO Proxy
DUO config - I have tried several approaches Radius client, AD client, both, etc.
I have ports 443 open in/out on all relevant devices
Test device: Windows 10, Built-In VPN client

shedev · January 3, 2021, 8:06pm

UPDATE: I figured it out. If you also are trying to do this, I will post a walk-thru.

BabbittJE · January 5, 2021, 5:10pm

While I do not need this (yet), I’m sure many, including myself, would love it if you could post your solution. Thank you, @shedev.

shedev · February 24, 2021, 9:18pm

I can tell you that the NPS plays a role, on both the RRAS server and a domain controller. The setup is simple, but not straightforward. I will post more at a later date.

1234567890 · April 8, 2021, 2:54pm

Currently, we installed DUO on the RRAS server and using Active Directory to authenticate. and it is giving me this error

“ The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

myeakey · April 20, 2021, 8:20pm

@shedev We’re also running into this same issue. I see you resolved it, can you post what was done to do so?

Amy · April 21, 2021, 8:09pm

Hi @myeakey and @1234567890 (and anyone else reading!),
It turns out we had a support case about this, so I am able to share an answer here with you.

This error can occur in Microsoft Routing and Remote Access Server (RRAS) VPN when a user attempts to establish a remote connection. This issue is related to the default sign-in information configured in the RRAS client connection profile. If your application is configured to send an automatic push or phone callback, this error will appear after you approve the login attempt. Note that this issue is not directly related to the Duo for Microsoft RRAS integration, and can occur without Duo in place.

Please refer to the steps below to resolve this issue:

Click Advanced Options in the client VPN connection window.
Click Edit.
Change the Type of sign-in information to “General authentication method” instead of “Username and password”
If you don’t see the “General authentication method” option listed, you may need to delete the client connection profile altogether and recreate it, where “General authentication method” will be the default option.

If the following steps don’t help or you need further assistance, please contact Duo Support.