Hi All,

Hoping someone can help with Duo MFA integration with any model of Draytek.

We have this working without issue with other manufacturers but we can get it working with a Draytek.

The set up is simple, users can already successfully connect using the Draytek Smart VPN Client, the Draytek router in turn authorises users via NPS on a Windows Server.

If we take NPS out of the equation and put the Duo Proxy in between the Draytek and Windows Server, using the Duo Proxy as the Radius Server for the Draytek to go through, everything works. Only while MFA is turned off.

Turn on MFA via Policies in the Duo portal and users can't successfully connect.

When trying to connect, users enter their credentials as usual, they then receive the Push notification as expected but before they have the opportunity to Approve the connection they receive an error from the Draytek VPN Client saying that their credentials are incorrect.

Given the speed that happens I suspect its a Radius Timeout issue, the one common setting not available on Draytek routers for some reason. That, or the Draytek is receiving something back it doesn't like.

Anyone here got Duo MFA successfully working using Draytek's native VPN?

Cheers,
GVR

Did you ever get this working? I've set Duo as a Radius server with my 2862 as the client. The Duo proxy complains that no password has been passed on by the Vigor router.

Afraid not.

I raised a support case with Draytek.
I went around in circles with them as I dont thing the Draytek support person ultimately understood the problem.

I believe the lack of radius server timeout settings, common on other routers, is ultimately the problem.
Without that, the Draytek appears to immediately close the connection before allowing credentials to be passed through in time.

In the end we abandoned using Draytek VPN and for those customers with Servers, used Windows VPN SSTP and Routing & Remote Access and/or Network Policy roles.

A pain I know, if you have a lot of people, but far easier.

Looking at wireshark logs, it looks to me as if the Vigor doesn't send a password in the initial RADIUS message but also doesn't correctly handle the subsequent password challenge.

The issue is definetly with the Draytek, of that I have no doubt.

We work with a multitude of router/firewall vendors, Draytek currently are the only manufacture we've been unable to make Duo work with (unfortunately).