Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
402
Views
0
Helpful
6
Replies

Windows Pre VPN

Kurt Warner
Level 1
Level 1

‎07-18-2024 09:34 AM

We have meraki doing our VPN, our users log into it via the VPN, with windows pre vpn. Push works fine but when our users who have hardware tokens try to log in . it is not working ( even using the , ) any ideas how to fix this ?

Preview file
1813 KB
0 Helpful
6 Replies 6

ccieexpert
Spotlight
Spotlight

‎07-18-2024 11:28 AM

Does it work with regular VPN ? post login ? have you verified that the hardware tokens work with other apps ?

https://guide.duo.com/anyconnect

use this guide as reference.

0 Helpful

Kurt Warner
Level 1
Level 1
In response to ccieexpert

‎07-19-2024 06:04 AM

Yes tokens work. The issues is when the password is passed  to Meraki  via the windows log in we get password error. 

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎07-19-2024 05:43 AM - edited ‎07-19-2024 05:44 AM

What protocol are you using for RADIUS authentication between the Authentication Proxy server and the Meraki device? if you have set this up with radius_server_auto and radius_client in authproxy.cfg, and you are using MSCHAPv2 instead of PAP, users cannot append passcodes to their passwords.
https://help.duo.com/s/article/2084?language=en_US

When you have issues with RADIUS authentication your first step should always be to enable debug logging at the Duo Authentication Proxy, reproduce the issue, and then examine the resulting output. 

https://help.duo.com/s/article/2953?language=en_US

For example, if the issue is in fact that you are trying to use OTP concatenation with MSChapv2, the authproxy.log output will say ""Allow concat is configured, but is not supported with MS-CHAPv2 authentication".

Duo, not DUO.
0 Helpful

Kurt Warner
Level 1
Level 1
In response to DuoKristina

‎07-19-2024 06:03 AM

We are not getting auth related errors, we are getting errors post auth when Windows is passed the password to login

0 Helpful

Kurt Warner
Level 1
Level 1

‎07-19-2024 08:08 AM

We tested manually specifying the delimiter and enabling concatenation as well as using [radius_server_concat]. Duo is still passed the concatenated password to Windows and the login is failing

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Kurt Warner

‎07-19-2024 12:04 PM

Ah, ok.

If you're logging in with the Windows OS VPN client, then Windows has no idea that the string it caches for the password is not actually the password, but is the password + concatenated information. It just stores and replays the whole string. There isn't a solution for this except not using concat.

https://help.duo.com/s/article/2987?language=en_US

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents