10-27-2021 12:17 PM
Hi to all, my first post here
I have setup with 9 local (non AD) users, Windows Server 2012 Foundation and RRAS role. I would like to strengthen our security by implementing Cisco DUO as described Two-Factor Authentication for Microsoft RRAS VPN connections | Duo Security
We don’t have Active Directory set!
Is it possible to implement Cisco DUO without AD?
Many thanks!!
10-27-2021 02:08 PM
I don’t think you can do this with Duo.
While the Duo Authentication Proxy supports Duo-only authentication over RADIUS (where the Duo proxy does not attempt primary credential verification and only performs two-factor auth), IIRC there isn’t an option in RRAS to chain local primary authentication (for your non-AD users) to external secondary authentication (like adding Duo for 2FA-only via RADIUS).
Even Microsoft’s own MFA solution for RRAS requires use of an external RADIUS server (NPS) and Active Directory.
Granted, it’s been a few years since I looked closely at RRAS and that was enough to make me never want to look again. If someone in the community has more up-to-date info about chaining authentication in RRAS hopefully They’ll chime in.
10-27-2021 10:43 PM
Many thanks for the info! just to clarify; RRAS is already set and my local users are using it.
It’s not a problem to set AD, but i would like to avoid complicating things if it is not necessary.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide