Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1564
Views
8
Helpful
18
Replies

Inline password reset for RRAS VPN, need clarifications

Go to solution
Alen1
Level 1
Level 1

‎04-28-2022 07:58 AM

Hi,

Preparing to deploy DUO MFA for a remote access VPN (SSTP) based on MS RRAS.
Going to install DUO Authentication Proxy on the RRAS VPN server (member of our AD domain), primary authentication method will be Active Directory, planning authentication between the Proxy and AD to be SSPI.

I have read a lot of documentation and it’s still not clear to me, in the above conditions, when DUO Authentication Proxy is going to be a domain joined server and the authentication protocol to be SSPI, is anything else required to be configured to support expired domain accounts’ passwords change during the VPN connection to RRAS server?

Thank you.

Labels:
0 Helpful
18 Replies 18

Go to solution
Alen1
Level 1
Level 1

‎05-02-2022 11:21 AM

Thank you DuoKristina!

Today I re-read some documents, and realized that my problems were mostly caused by the fact I was always keeping RRAS in my head, although articles referenced in the RRAS related document were more global and some even did not consider RRAS at all but were covering other aspects of DUO MFA.
I have much more understanding now.

Only one simple question left unanswered: is PAP protected when using IKE v2 VPN like with SSTP and L2TP over IPSec?

0 Helpful

Go to solution
Alen1
Level 1
Level 1

‎05-12-2022 10:49 AM

Hi,

A quick question, reading DUO AP reference guide, in the auth_type configuration section I see this:

If the host value is a domain controller with hostname , the proxy will use Kerberos if an LDAP Service Principal Name (SPN) exists for that target DC as ldap/hostname . If no such SPN exists, the proxy falls back to NTLM.

If the host value is an IP address, the proxy will use NTLM.

I guess NTLM2 is meant here, in both places, right, not the original NTLM v1?!
Also is there a quick way to check if ldap/hostname SPN exists or not?

Thank you.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Alen1

‎05-12-2022 01:26 PM

Yes, ntlm2, the default type.

You can see an object’s SPN in ADUC or with setspn. Microsoft’s documentation is the best reference for this.

Duo, not DUO.

Go to solution
Alen1
Level 1
Level 1
In response to DuoKristina

‎05-13-2022 12:27 AM

Thank you very much!
You are very knowledgeable and helpful.

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents