RRAS with DUO and other controls or policies

Question

We are using a Microsoft RRAS server (2019) with DUO MFA for VPN. The server used SSTP. The server has been very reliable over the years.

One problem with the DUO setup is it breaks network policies on the RRAS server. Once you forward requests to the DUO proxy it bypasses any network policies (NPS) like Idle Timeout, or IP restrictions, etc. I confirmed this with Microsoft.

I would like to find a way to add one more control to our VPN. Maybe a required certificate or something on trusted machines that would prevent users from connecting untrusted machines to the VPN. Since DUO bypasses NPS polices, I'm not sure if this can be done or not.

Looking for others that are using RRAS with some sort of MFA solution that also allows other controls like inactivity, max connection, something to check for trusted equipment.

Thanks

Answer 1

Hello @Bill Spicer

Since the issue is the DUO application bypassing the NPS policies functionality there is little that Microsoft community can contribute. My recommendation will be to open a question to DUO community forums since they may be better prepared and experienced to answer this question.

On my end, as far as my knowledge goes, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--