Forum Discussion
Always On VPN Integration
Should VPN integration work with MS Always On VPN? I configured accounting on the RRAS servers to send events to the sensors on domain controllers but am not seeing anything in the timeline for VPN connections. It still says 0 accessed VPN locations.
5 Replies
Jason1330 If this accounting data is based on RFC 2866 (https://tools.ietf.org/html/rfc2866) as described in here Install Microsoft Defender for Identity VPN Integration | Microsoft Docs, it should technically work.
I tried a workaround by modifying the user-name attribute in NPS. It works for user accounts where the samAccountName matches the UPN prefix. But we have a few users where that does not match, usually due to very long names.
On the RRAS server open Network Policy Server. Under Policies/Connection Request Policies edit the policy that's used for your connections. On the Settings tab, under Attribute, set the attribute to User-Name and click Add. In the Find field enter the UPN suffix domain name @domain.com. In the replace field leave it blank.
With this in place users are still able to authenticate, and accounting now sends the user name as just the prefix, basically the SamAccountName instead of UPN, and the sensor agent is able to properly report it.
I can't leave it like this for now. It would be better if the sensor agent could properly handle UPNs.
That is the article I followed to configure this. I can see the traffic being received by the domain controller in Wireshark on UDP 1813.
Maybe the issue is related to using UDP for login, as mentioned in this post?
ATP and VPN integration: VPN login with UPN - Microsoft Tech Community
