I am in the process of reconfiguring the RRAS server, and would love your feedback. Thank you!

I believe one of the things that hung me up was the account running the DUO Proxy service. The account running the service needed AD access for something. I’m trying to remember why I did this(shame on me, no notes on that part). I created a service account on the domain for it. Side note, if this is part of your problem, every DUO proxy software upgrade overwrites the account and I have to go change it back to the AD account.

I just compared my cfg to yours and here are some differences I found.

1. I don’t have a [radius_client] section at all.
2. host=domain.com (you don’t have to specify DC’s individually, it will find one on its own)
3. radius_ip_1=XXX.XXX.XXX.XXX (I am assuming this is the IP of Server #2 a.k.a RRAS+NPS ) yes/no

I’ll look over the RRAS config shortly when I have some more time.

Thank you jrp78.

I also have a domain service account created for DUO.

I have tried so many variations of the config - with [radius_client], without [radius_client]. Nothing seems to hit the service.

The process should happen (I think, correct me if I am wrong) like so:

1. User connects on Win 10, or MAC OS with VPN client configured for SSTP & PAP Auth
2. The router/firewall receives the request and routes it to the RRAS server
3. The RRAS references the radius client (DUO service) and pushes the request to the DUO Service
4. The DUO sends a push notification to the user’s phone
5. The user agrees
6. DUO sends the confirmation back to the RRAS and the user connects

I am not sure if any of the DUO activity is happening.

You are exactly right. Have looked at the DUO proxy logs, is the request even getting that far?
By default, they are located at c:\Program Files (x86)\Duo Security Authentication Proxy\log

I find no evidence of activity from the user request

So it sounds like to me the request is not making it from the RRAS server to the radius server(duo proxy).
Do you have this part of RRAS configured to point to the radius server?
Also, I DO NOT have a Connection Request Policy at all.
EDIT: I’m on Server 2016, I’m not sure where you add the radius IP in 2012.

Yes, my RRAS Security Config is identical to yours. I feel I am so close. I have the correct SSL in place and when I test via a Win 10 client, it times out after verifying sign-in creds, so perhaps a wall between the Duo sec and my Domain Controller.

Built from scratch today - so I am well practiced with the steps. Thank you kindly for your reply.