none
RRAS RRS feed

  • Question

  • I have a windows 2008 R2 RRAS server which works great for our users.  I have it configured to work with DUO two-factor authentication.  All works great except the "Session Timeout" setting is not working  allowing users to stay connected forever.  In NPS I have setup a Network Policy tied to a group and in that policy I have Session Timeout set to 600 minutes.   Everytime I check the server each day I have users connected past that limit.

    I wouldn't think adding the DUO two-factor would affect anything since connections still use the Network Policy.  Here are the instructions I used for DUO https://duo.com/docs/rras though DUO only authenticates and doesn't really control the connections.

    Not sure what else to check.  Would love to find a way to disconnect users after 10 hours of use.

    Sunday, April 30, 2017 3:45 PM

Answers

  • No progress here.     I finally opened a case with Microsoft which is a very slow process but at least I have a case open.  

    I found that if you configure a connection policy to forward to a RADIUS Proxy, all other policies including Network Policies are ignored.

    • Marked as answer by Bill Sp Thursday, May 25, 2017 2:44 PM
    • Edited by Bill Sp Thursday, May 25, 2017 2:45 PM
    Tuesday, May 16, 2017 3:34 PM

All replies

  • Hi Bill Sp,

    1. Do you set the "Session Timeout" in NPS policy>Constraints>Session Timeout;

    2. Please check the NPS event log to ensure if the client actually match the policy with Session Timeout;

    3. Enable the NPS Accounting, there is a field that contains the value of Session-Timeout. Check if the value exits and correct for the clients;

    4. Also test if common users without using two-factor authentication connect to the (VPN, Wireless or wired) connection will apply the setting correct. (We may set the timeout to be several minutes for test purpose).

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 1, 2017 7:59 AM
    Moderator
  • In NPS under Network Policies I have a policy named VPN Access Policy that is tied to a domain group that users need to be a member of in order to gain access.  Under the constraints tab I have Session Timeout set to 600. It is the first policy in the list.

    When you say check NPS event log I am assuming you are talking about the logs from RRAS INI1705.log saved under windows/system32/etc.

    In this log I see all the connections.  I do not see any mention of my VPN Access Policy but I do see Microsoft Routing and Remote Access Service Policy listed. This policy is under "Connection Requests Policies" and there is no place on it to specify session timeout.. 

    I'll have to figure out how to test users without two-factor as the Microsoft Routing and Remote Access Service Policy is set to use DUO Proxy so I don't know how to get other users/groups not to use that policy.

    Monday, May 1, 2017 2:15 PM
  • Hi Bill Sp,

    Just to check if you get any progress with your issue? Welcome to feedback.

    If you need more professional help, you'd open a case with MS:

    https://support.microsoft.com/en-us/gp/support-options-for-business

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 16, 2017 2:40 AM
    Moderator
  • No progress here.     I finally opened a case with Microsoft which is a very slow process but at least I have a case open.  

    I found that if you configure a connection policy to forward to a RADIUS Proxy, all other policies including Network Policies are ignored.

    • Marked as answer by Bill Sp Thursday, May 25, 2017 2:44 PM
    • Edited by Bill Sp Thursday, May 25, 2017 2:45 PM
    Tuesday, May 16, 2017 3:34 PM
  • Hi Bill Sp,

    Welcome to feedback if you got any progress.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 24, 2017 1:34 AM
    Moderator