Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Always On VPN Integration

Copper Contributor

Should VPN integration work with MS Always On VPN?  I configured accounting on the RRAS servers to send events to the sensors on domain controllers but am not seeing anything in the timeline for VPN connections.  It still says 0 accessed VPN locations.

5 Replies

@Jason1330 If this accounting data is based on RFC 2866 (https://tools.ietf.org/html/rfc2866) as described in here Install Microsoft Defender for Identity VPN Integration | Microsoft Docs, it should technically work.

@Or Tsemah 

That is the article I followed to configure this.  I can see the traffic being received by the domain controller in Wireshark on UDP 1813.

Maybe the issue is related to using UDP for login, as mentioned in this post?

ATP and VPN integration: VPN login with UPN - Microsoft Tech Community

 

@Or Tsemah 

I tried a workaround by modifying the user-name attribute in NPS.  It works for user accounts where the samAccountName matches the UPN prefix.  But we have a few users where that does not match, usually due to very long names.

 

On the RRAS server open Network Policy Server.  Under Policies/Connection Request Policies edit the policy that's used for your connections.  On the Settings tab, under Attribute, set the attribute to User-Name and click Add.  In the Find field enter the UPN suffix domain name @domain.com.  In the replace field leave it blank.

 

With this in place users are still able to authenticate, and accounting now sends the user name as just the prefix, basically the SamAccountName instead of UPN, and the sensor agent is able to properly report it.

 

I can't leave it like this for now.  It would be better if the sensor agent could properly handle UPNs.

best response confirmed by Jason1330 (Copper Contributor)
Solution

@Jason1330 Thanks for the feedback, we're incorporated it into our engineering plans

@Or Tsemah 

 

I was able to come up with a satisfactory user-name attribute regex filter so that only the part before the @domain.com is used, and it is limited to 20 characters.

 

Find:

([^@]{1,20})(?:.*)

 

Replace:

$1

 

This works perfectly in our environment, including users with very long names.

1 best response

Accepted Solutions
best response confirmed by Jason1330 (Copper Contributor)
Solution

@Jason1330 Thanks for the feedback, we're incorporated it into our engineering plans

View solution in original post