cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
474
Views
0
Helpful
6
Replies

Windows Pre VPN

Kurt Warner
Level 1
Level 1

We have meraki doing our VPN, our users log into it via the VPN, with windows pre vpn. Push works fine but when our users who have hardware tokens try to log in . it is not working ( even using the , ) any ideas how to fix this ?

6 Replies 6

ccieexpert
Spotlight
Spotlight

Does it work with regular VPN ? post login ? have you verified that the hardware tokens work with other apps ?

https://guide.duo.com/anyconnect

use this guide as reference.

Yes tokens work. The issues is when the password is passed  to Meraki  via the windows log in we get password error. 

DuoKristina
Cisco Employee
Cisco Employee

What protocol are you using for RADIUS authentication between the Authentication Proxy server and the Meraki device? if you have set this up with radius_server_auto and radius_client in authproxy.cfg, and you are using MSCHAPv2 instead of PAP, users cannot append passcodes to their passwords.
https://help.duo.com/s/article/2084?language=en_US

When you have issues with RADIUS authentication your first step should always be to enable debug logging at the Duo Authentication Proxy, reproduce the issue, and then examine the resulting output. 

https://help.duo.com/s/article/2953?language=en_US

For example, if the issue is in fact that you are trying to use OTP concatenation with MSChapv2, the authproxy.log output will say ""Allow concat is configured, but is not supported with MS-CHAPv2 authentication".

Duo, not DUO.

We are not getting auth related errors, we are getting errors post auth when Windows is passed the password to login

Kurt Warner
Level 1
Level 1

We tested manually specifying the delimiter and enabling concatenation as well as using [radius_server_concat]. Duo is still passed the concatenated password to Windows and the login is failing

Ah, ok.

If you're logging in with the Windows OS VPN client, then Windows has no idea that the string it caches for the password is not actually the password, but is the password + concatenated information. It just stores and replays the whole string. There isn't a solution for this except not using concat.

https://help.duo.com/s/article/2987?language=en_US

Duo, not DUO.
Quick Links