Thank you for your tutorial! I think it is worth mentioning or updating in the description the ability to encrypt the open text password, skey and the secret, using the "authproxy_passwd.exe" tool included in the "bin" folder of the Duo Auth. In addition to that, there is another nice tool for troubleshooting "authproxy_connectivity_tool.exe" which will guide you through the problems, if the service didn't start at the first time.
Thanks a lot! I followed your tutorial using Server 2019 Essentials and I cannot get the VPN to work. I have executed the connection_tools.exe app and it found no issues. The error that I get when I try to connect from a Windows 10 box is "The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authenticaiton method selected on the RAS/VPN server and the acess policy configured for it". Can you please help me get past this error?
I have seen that one before. Be sure you're only using PAP on your client and not left to automatic or default settings. Also check your firewall ports are open.
RRAS Properties on my Server 2022 do not have the option for RADIUS "Because NPS is installed". Is there another tutorial for that situation? Also I really don't like having to use PAP. Third, does this work on Apple iOS devices for VPN, as I've always used L2TP?
Have you had any issues with this with Windows Server 2022 (for RRAS)? I've been slamming my head against the wall for many hours trying to figure this one out. Client says "Connection was terminated because the server didn't respond in a timely manner". Server logs say that it was prevented because of a policy configured on the server. It says specifically, the authentication method used by the server to verify your username and password may not match the method configured in your connection profile". I'm about to try the Duo support again but that seems futile for integrations.
@@techpubI got it all figured out lol. The biggest issue I had was with the centos box that we had their DAP installed on.... It had a firewall on by default.
Thanks. How would I get PAP security to work on MAC client? we have Duo security 2fa and it works fine on Windows clients only. can you please shed some light on this issue?
Here's a link to an article that walks you through it: cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-authentication-protocol-on-mac-os/
I also configured ADDS, RRAS and duo auth proxy on the same server on the same machine but it doesn't work we get the following error ( do we really need to disable all network policies?) The following error occurred in the Point to Point Protocol module on port: VPN1-127, UserName: user001. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error. [main] debug=true log_max_files=10 log_max_size=20971520 [ad_client] host=192.168.2.10 service_account_username=duo service_account_password=P@ssw0rd1 search_dn=DC=aoyuangroup,DC=local security_group_dn=CN=DuoVPNUsers,OU=Security Groups,OU=Head Office,DC=aoyuangroup,DC=local ;factors=push [radius_server_auto] ikey=myikey skey=mykey api_host=api-xxxxxxxxxx.duosecurity.com radius_ip_1=127.0.0.1 radius_secret_1=P@ssw0rd1 client=ad_client port=1814
Thank you for your tutorial!
I think it is worth mentioning or updating in the description the ability to encrypt the open text password, skey and the secret, using the "authproxy_passwd.exe" tool included in the "bin" folder of the Duo Auth. In addition to that, there is another nice tool for troubleshooting "authproxy_connectivity_tool.exe" which will guide you through the problems, if the service didn't start at the first time.
Thanks for the tip!
Any way to take this a step further and only allow connections from trusted devices? Some sort of certificate or other setting?
Since I made this, Cisco bought it. You may want to check out their docs.
Thanks a lot! I followed your tutorial using Server 2019 Essentials and I cannot get the VPN to work. I have executed the connection_tools.exe app and it found no issues. The error that I get when I try to connect from a Windows 10 box is "The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authenticaiton method selected on the RAS/VPN server and the acess policy configured for it". Can you please help me get past this error?
I have seen that one before. Be sure you're only using PAP on your client and not left to automatic or default settings. Also check your firewall ports are open.
RRAS Properties on my Server 2022 do not have the option for RADIUS "Because NPS is installed". Is there another tutorial for that situation? Also I really don't like having to use PAP. Third, does this work on Apple iOS devices for VPN, as I've always used L2TP?
This was made prior to Cisco's purchase. It's possible they do things differently now, but I haven't see it yet.
@@techpub Understood! Your videos are great, I'd love to see an updated one!
Have you had any issues with this with Windows Server 2022 (for RRAS)? I've been slamming my head against the wall for many hours trying to figure this one out. Client says "Connection was terminated because the server didn't respond in a timely manner". Server logs say that it was prevented because of a policy configured on the server. It says specifically, the authentication method used by the server to verify your username and password may not match the method configured in your connection profile". I'm about to try the Duo support again but that seems futile for integrations.
This video is a few years old so it might be outdated. I haven't checked recently.
@@techpubI got it all figured out lol. The biggest issue I had was with the centos box that we had their DAP installed on.... It had a firewall on by default.
Thanks. How would I get PAP security to work on MAC client? we have Duo security 2fa and it works fine on Windows clients only. can you please shed some light on this issue?
Here's a link to an article that walks you through it:
cloudessa.com/tips-and-tricks/how-to-setup-eap-ttls-with-inner-pap-authentication-protocol-on-mac-os/
I also configured ADDS, RRAS and duo auth proxy on the same server on the same machine but it doesn't work we get the following error ( do we really need to disable all network policies?)
The following error occurred in the Point to Point Protocol module on port: VPN1-127, UserName: user001. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
[main]
debug=true
log_max_files=10
log_max_size=20971520
[ad_client]
host=192.168.2.10
service_account_username=duo
service_account_password=P@ssw0rd1
search_dn=DC=aoyuangroup,DC=local
security_group_dn=CN=DuoVPNUsers,OU=Security Groups,OU=Head Office,DC=aoyuangroup,DC=local
;factors=push
[radius_server_auto]
ikey=myikey
skey=mykey
api_host=api-xxxxxxxxxx.duosecurity.com
radius_ip_1=127.0.0.1
radius_secret_1=P@ssw0rd1
client=ad_client
port=1814
Try changing the AD Client portion also to 127.0.0.1 if the DC and the Duo setup are on the same server.
Is PAP the only one supported even today? I hope not lol.
Yes. I was surprised as well.