RRAS with DUO and other controls or policies

Bill Spicer 26 Reputation points
2022-01-18T16:25:58.067+00:00

We are using a Microsoft RRAS server (2019) with DUO MFA for VPN. The server used SSTP. The server has been very reliable over the years.

One problem with the DUO setup is it breaks network policies on the RRAS server. Once you forward requests to the DUO proxy it bypasses any network policies (NPS) like Idle Timeout, or IP restrictions, etc. I confirmed this with Microsoft.

I would like to find a way to add one more control to our VPN. Maybe a required certificate or something on trusted machines that would prevent users from connecting untrusted machines to the VPN. Since DUO bypasses NPS polices, I'm not sure if this can be done or not.

Looking for others that are using RRAS with some sort of MFA solution that also allows other controls like inactivity, max connection, something to check for trusted equipment.

Thanks

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,931 Reputation points
    2022-01-19T20:10:13.03+00:00

    Hello @Bill Spicer

    Since the issue is the DUO application bypassing the NPS policies functionality there is little that Microsoft community can contribute. My recommendation will be to open a question to DUO community forums since they may be better prepared and experienced to answer this question.

    On my end, as far as my knowledge goes, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

    Hope this helps with your query,

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.