10-07-2016 06:20 AM
Hi,
we are using a RRAS VPN server on Windows Server 2012 R2 for our Windows 10 and OS X users. The authentication method on RRAS is MSCHAPv2.
Now users authenticates over DUO Push (and maybe Duo CallBack, i didn’t try yet).
Can we use the hardware tokens as well?
as i know, Windows 10 doesn’t support OPT.
I’m not sure about OS X, whether it supports OTP as well.
Thank you!
10-07-2016 06:40 AM
Hey Exonix,
To use other auth methods in your setup, try Append Mode
https://guide.duosecurity.com/append-mode
Cheers
10-07-2016 07:49 AM
sorry, i didn’t understand… this is my config of DUO:
[radius_client]
host=192.168.0.16
secret=YYYYYYYY
[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXXXX
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=XXXXXXXXX.duosecurity.com
radius_ip_1=192.168.0.20
radius_secret_1=YYYYYYYY
failmode=safe
client=radius_client
port=1812
in default policy is enabled the Duo Mobile passcodes only.
i try to connect, enter my password,passcode from DUO Mobile app, and getting an error:
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Sending request from 192.168.0.20 to radius_server_auto
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Received new request id 67 from (‘192.168.0.20’, 53436)
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] ((‘192.168.0.20’, 53436), 67): login attempt for username u’user.name’
2016-10-07 16:40:26+0200 [DuoForwardServer (UDP)] Sending request for user u’user.name’ to (‘192.168.0.16’, 1812) with id 137
2016-10-07 16:40:26+0200 [RadiusClient (UDP)] Got response for id 137 from (‘192.168.0.16’, 1812); code 2
2016-10-07 16:40:26+0200 [RadiusClient (UDP)] http POST to https://XXXXXXXXX.duosecurity.com:443/rest/v1/preauth
2016-10-07 16:40:26+0200 [-] Starting factory <_DuoHTTPClientFactory: https:/XXXXXXXXXXX.duosecurity.com:443/rest/v1/preauth>
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Got preauth result for: u’auth’
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): User has no Duo factors usable with this configuration
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Returning response code 3: AccessReject
2016-10-07 16:40:26+0200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.0.20’, 53436), 67): Sending response
2016-10-07 16:40:26+0200 [-] Stopping factory <_DuoHTTPClientFactory: https://XXXXXXXXXXX.duosecurity.com:443/rest/v1/preauth>
10-07-2016 10:03 AM
Hey Exonix,
Duo says your user has no usable devices with which to auth.
My guess is that you have Duo Mobile enabled for your Duo Administrator account, but not your end user ‘user.name’.
Make sure your end user account is enrolled and has Duo Mobile active: https://duo.com/docs/enrolling_users#manual-enrollment
In the mobile app, you will have two accounts listed. One for “Admin” access to the Duo console, and one for end user access to applications like RRAS.
Going forward - you should contact support for troubleshooting issues such as this one.
Cheers
10-09-2016 03:16 AM
no, he is enrolled.
When he has a Duo Push authentication only, then he can authenticate.
When he has a Duo Mobile passcodes authentication only, then he can not authenticate.
10-10-2016 06:44 AM
Hi Aleks,
As Gleezy indicated, you’ll need to contact Duo Support to troubleshoot this issue further. https://duo.com/support
Thanks,
Andrew
10-16-2016 02:16 AM
Hi,
i asked support. They answered, that with MSCHAPv2 works only Duo Push and Duo Callback.
Or i could use challenge responses if my VPN clients are supporting it.
i’m using Windows 10 VPN client and OS X 10.11 VPN Client.
How can i configure them for the challenge responses? i don’t know whether they are supporting it.
11-04-2016 06:26 AM
Hey Exonix,
To use challenge response mode with Authproxy, change your server section header to read [radius_server_challenge].
https://duo.com/docs/authproxy_reference#radius-challenge
You will need to configure a [radius_client] section as well if you still want to use MS-CHAPv2.
Cheers
11-04-2016 07:25 AM
Hi Gleezy,
i configured RRAS with MS RADIUS to support PAP and MSchapV2 at the same time. Working config:
[radius_client]
host=10.10.10.73
secret=123456
[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXXXXXXXXXXX
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=YYYYYYYYY.duosecurity.com
radius_ip_1=10.10.10.231
radius_secret_1=123456
failmode=safe
client=radius_client
pass_through_all=true
allow_concat=true
port=1812
[main]
debug=true
it works for Windows 10 and OS X 10.11
thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide