Showing results for 
Search instead for 
Did you mean: 

DUO MFA, Microsoft RRAS Setup, no option to change authentication provider because NPS is installed



I have a Windows Server 2016 Standard running the Duo Authentication Proxy, we currently protect Microsoft 365 with SSO, RD Gateway and Windows Logon, the next step is for us to protect the VPN Microsoft RRAS.

I have followed the instructions but when i get Change the RRAS Authentication Settings, I do not have the option to change authentication provider because NPS is installed.


What are the next steps? The documentation doesn’t cover this

1 Reply 1

Cisco Employee
Cisco Employee

Hi AdamKnowles, Welcome to the Duo Community!

If you follow the Duo for RRAS documentation at and you have NPS and RRAS installed on the same server, you will need to follow a different set of instructions after successfully installing and configuring the Duo Authentication Proxy. This guide is not fully supported but has been used successfully to resolve support cases.

Please note that we do not recommend installing the Authentication Proxy on a shared, multi-purpose server.

  1. Open the Routing and Remote Access management console.
  2. Right-click on your RRAS server and select Properties.
  3. Check the Allow custom IPsec policy for L2TP connection checkbox.
    Screenshot of Properties menu with 'Allow custom IPsec policy for L2TP connection' box checked
  4. Add your RADIUS secret in the Preshared Key section in NPS.
  5. Increase the RADIUS timeout to 60 seconds in the RADIUS server settings.
    RADIUS server edit dialog with 60 seconds entered for RADIUS timeout
  6. Go to NPS > Remote RADIUS Server and set up a Remote RADIUS Server Gateway and point it at your Authentication Proxy’s IP address. Name it something you will remember. In this example it’s named DAG, but please note that these instructions do not involve a Duo Access Gateway in any way.
    Remote RADIUS server properties screen
  7. In the NPS settings, go to Policies > Remote RADIUS Server and select the Microsoft Routing and Remote Access Service Policy properties.
    Screenshot of Microsoft Routing and Remote Access Service Policy properties dialog
  8. In the properties window, select the Settings > Authentication tab and then select Forward requests to your setup RADIUS server group. Select the group created in Step 2.
    Authentication tab with 'Forward requests to your setup RADIUS server group' option of created group selected

As noted above, it is not recommended to put the Auth Proxy on a shared, multi-purpose server, but if you do decide to put it on the same server as both RRAS and NPS, you will also need to make the following changes:

  1. Add the nas_ip= option to your Authentication Proxy’s [radius_client] section, and set it to a unique IP address that you wish to use for identifying Authentication Proxy traffic.
  2. Create a Connection Request Policy filtered to this NAS IP.
  3. Set the Settings > Authentication tab settings to “Authenticate requests on this server”.
  4. Ensure that this policy has higher priority than the one which forwards requests based on the Client IP.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links