04-28-2022 07:58 AM
Hi,
Preparing to deploy DUO MFA for a remote access VPN (SSTP) based on MS RRAS.
Going to install DUO Authentication Proxy on the RRAS VPN server (member of our AD domain), primary authentication method will be Active Directory, planning authentication between the Proxy and AD to be SSPI.
I have read a lot of documentation and it’s still not clear to me, in the above conditions, when DUO Authentication Proxy is going to be a domain joined server and the authentication protocol to be SSPI, is anything else required to be configured to support expired domain accounts’ passwords change during the VPN connection to RRAS server?
Thank you.
Solved! Go to Solution.
05-02-2022 11:21 AM
Thank you DuoKristina!
Today I re-read some documents, and realized that my problems were mostly caused by the fact I was always keeping RRAS in my head, although articles referenced in the RRAS related document were more global and some even did not consider RRAS at all but were covering other aspects of DUO MFA.
I have much more understanding now.
Only one simple question left unanswered: is PAP protected when using IKE v2 VPN like with SSTP and L2TP over IPSec?
05-12-2022 10:49 AM
Hi,
A quick question, reading DUO AP reference guide, in the auth_type configuration section I see this:
If the
host
value is a domain controller withhostname
, the proxy will use Kerberos if an LDAP Service Principal Name (SPN) exists for that target DC asldap/hostname
. If no such SPN exists, the proxy falls back to NTLM.If the
host
value is an IP address, the proxy will use NTLM.
I guess NTLM2 is meant here, in both places, right, not the original NTLM v1?!
Also is there a quick way to check if ldap/hostname
SPN exists or not?
Thank you.
05-12-2022 01:26 PM
Yes, ntlm2
, the default type.
You can see an object’s SPN in ADUC or with setspn
. Microsoft’s documentation is the best reference for this.
05-13-2022 12:27 AM
Thank you very much!
You are very knowledgeable and helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide