cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4430
Views
1
Helpful
3
Replies

Duo with multiple NPS network policies

Phil Bradley
Level 4
Level 4

Is it possible to have the Duo radius client integrate with multiple NPS policies? For example, I have a policy on NPS for VPN users and another for network device admins. In NPS the radius client gets assigned a friendly name and then that name gets matched to a policy. Since the duo server is only one device then it gets mapped to a common friendly name on the NPS server which would always match one policy.

3 Replies 3

Phil Bradley
Level 4
Level 4

I did find a solution to my problem and in case anyone else is interested this is what I did.

Microsoft NPS can only have one radius client with the same IP. I added the duo server as the client with a friendly name.

In my NPS policies I added the friendly name as a requirement and also added NAS ipv4. I setup multiple radius clients in duo config and in each one I added nas_ip= to some unique value. This way the policy could get selected based on this value.

Hello pbradley435,
I am interested in doing something similar, can you post a sample config file of how you set this up, thanks

rbrian
Level 1
Level 1

I realize this is an old post, but I also found this post while trying to find out how to configure Duo to work with multiple NPS policies.

Piggy backing off pbradley’s previous post, here’s an article you’ll want to reference:
Can the Duo Authentication Proxy include multiple client sections?
https://help.duo.com/s/article/2216?language=en_US

Basically, you can create multiple [radius_server_auto] and [radius_client] sections and assign them to the particular service you are looking to protect. These Duo configurations are pointed to a particular NPS policy via the “nas_ip” radius_client option.

– create a [radius_server_auto2] and [radius_client2] section
----change “client=” to use your new radius_client2
– in [radius_client2], add nas_ip=some unique value

In NPS, you configure your multiple policies, and add a “Condition” for “NAS IPv4 Address” to the same unique value. I used 1.1.1.1 for my first [radius_client], 2.2.2.2 for my second [radius_client2]. I did not use friendly names.

Quick Links