cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4088
Views
0
Helpful
6
Replies

Session Timeout with RRAS on server 2008 r2

tangobravo
Level 1
Level 1

I have duo working with 2008 r2 RRAS for vpn access but I cannot figure out how to create a day/time restrictions and session timeout. Looks like with RADIUS selected the NPS policies are ignored.

My problem is exactly like this article:
https://social.technet.microsoft.com/Forums/en-US/2eeaa31f-eb5b-4508-b060-c4535faf00b8/rras?forum=winservergen

Can anyone point me in the right direction?

I have followed these instructions to get it working thus far:

6 Replies 6

jrp78
Level 1
Level 1

I have the exact same issue on Server 2016. The session timeout is being ignored. I have the Duo Proxy Authentication software/service running on a separate server. Any way to enforce the session timeout?

I found this article and at the end it says MS is aware of it and there is no fix currently.
https://social.technet.microsoft.com/Forums/en-US/113cdbd0-7368-4d7e-b860-48899eb55827/nps-as-a-radius-server65292the-network-policys-are-not-enforced-sometime?forum=winserverNAP

As a workaround, I wrote the following powershell script and configured it to run as a scheduled task on my VPN server. I have it set to run every 5 minutes. Our policy is to sever connections after 4 hours.

#Using Radius/2FA breaks NPS policy so the session policy does not work in RRAS
#This script will disconnect VPN users connected longer than 4 hours

$vpnusers = Get-RemoteAccessConnectionStatistics | where {$_.connectionduration -ge 14400} 
| select -ExpandProperty UserName
foreach($user in $vpnusers){Disconnect-VpnUser -UserName $user}

#Code for testing
#foreach($user in $vpnusers){write-host $user}

Thanks for writing this. I’m the one that opened a ticket with Microsoft that tangobravo mentioned. How could I change your script to disconnect everyone at 2 AM? Would I just take out the piped where clause and run it at 2AM?

We don’t have a max session policy but currently I’m rebooting the server every night to knock everyone off and I’d like to avoid rebooting the server so much.

I do wish the inactivity policy worked. Tough to get accurate logout times using RRAS.

Would I just take out the piped where clause and run it at 2AM?

Yep, that shoud do the trick

tangobravo
Level 1
Level 1

jrp78,

Thanks that might be something I can work with.

bspicer
Level 1
Level 1

Got it to work. Thanks much.

Quick Links