Windows VPN client fails to connect

I have an existing Windows 2012 Server with RRAS setup and working. I have installed the Duo Authentication Proxy on the server and configured it to use Active Directory as my primary authenticator. I have created a test user and set Network Access Permission to “Allow Access” on the Dial-in tab of the user account’s properties.

The test user successfully connected through RRAS before I started the Duo setup. I have made no changes to Network Policy Server, it is as it came, out of the box. I changed the authentication protocol, on my VPN connection, from MS-CHAP v2 to PAP and I noticed that the type of sign in has automatically changed from “Username and Password” to “General Authentication Method”.

I followed Duo’s knowledgebase article for setting up Microsoft RRAS. I manually created a user in my Duo account with the same username is my AD user.

I have run the Duo Authentication Proxy Connectivity Tool and it reports no errors however when I try to connect I receive the error “The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

Can anybody suggest how to troubleshoot this issue to determine why the VPN connection is failing?



Hi there! Please take a look at the responses in this thread for help with this issue. Let me know if you have any additional questions :slight_smile:

Hi @Amy thank you for reply. I had already seen the thread you referred to, and your suggested solution, and confirmed that my RRAS client connection profile was set to use the “General authentication method” rather than the “Username and password method”.

Thank you for clarifying that! I misread that portion of your initial post. Is your configuration set to use port 1812? It’s possible that could be causing the issue. I found a similar support case that states if you’re running an NPS, you won’t be able to use port 1812 because the NPS consumes all radius traffic by default.
Your best bet for solving this though would be to work with the Duo Support team, as they can take a look at your exact configuration and make recommendations or walk you through the steps to troubleshoot and solve for any issues you’re experiencing. I hope that helps!

Thanks @Amy I spoke to Duo support who provided some guidance on configuring Duo Authentication Proxy when installed on a server running RRAS, although they did advise it was unsupported. I couldn’t get it to work so moved Duo Authentication Proxy to a second server, tweaked the config for the new server and that fixed it!

Thanks for the advice.

1 Like

Great, I am glad you were able to find a solution that worked for you!