Windows Server 2016 RRAS No Network Access

Darren_Mansell · ‎05-02-2019

Hi,

Unfortunately I’ve spent weeks trying to get Duo working for Microsoft RRAS SSTP VPN.

I think I’m almost there but I’m struggling with the final (hopefully) issue. When connecting to the VPN using the Duo proxy as a RAS, I get no network access over the VPN.

My setup is:
Server 2016 1903 update
No non-standard NPS policies
Followed this guide: Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security
The VPN works fine if I set it to Windows authentication with all other authentication methods allowed (EAP, MS-CHAP v2, CHAP)
Once I set it to Duo proxy as the RAS, I can connect to the VPN, I get the push and it works, but then nothing on the LAN is accessible. No network access at all.
I’ve looked at the NPS and I can’t see anything that would affect it. Perhaps using PAP needs a special policy?

Thanks.

mkorovesisduo · ‎05-02-2019

Hi Darren, please contact Duo support to open a ticket for assistance with your issue.

Darren_Mansell · ‎05-09-2019

I did but they couldn’t help. They said the proxy looks like it’s working because it can communicate so they can’t help with anything else.

The issue is that without Duo proxy set as the radius server, my VPN connection works fine. When changing it to Duo, then setting my VPN client to use PAP only (as directed in the docs) I can log on to the VPN, the Duo push works, but I get no network access.

Without Duo proxy - OK. With Duo proxy - not OK.

Not sure where I can go from here. I wanted to use Duo for my enterprise but if support can’t help I have to look elsewhere.

Darren_Mansell · ‎05-09-2019

Think it’s fixed. I just kept doing updates on both client and server until none were remaining.