Jan 18 2021 09:16 AM
Should VPN integration work with MS Always On VPN? I configured accounting on the RRAS servers to send events to the sensors on domain controllers but am not seeing anything in the timeline for VPN connections. It still says 0 accessed VPN locations.
Jan 19 2021 04:29 AM
@Jason1330 If this accounting data is based on RFC 2866 (https://tools.ietf.org/html/rfc2866) as described in here Install Microsoft Defender for Identity VPN Integration | Microsoft Docs, it should technically work.
Jan 26 2021 08:58 AM
That is the article I followed to configure this. I can see the traffic being received by the domain controller in Wireshark on UDP 1813.
Maybe the issue is related to using UDP for login, as mentioned in this post?
ATP and VPN integration: VPN login with UPN - Microsoft Tech Community
Jan 26 2021 12:49 PM - edited Jan 26 2021 03:57 PM
I tried a workaround by modifying the user-name attribute in NPS. It works for user accounts where the samAccountName matches the UPN prefix. But we have a few users where that does not match, usually due to very long names.
On the RRAS server open Network Policy Server. Under Policies/Connection Request Policies edit the policy that's used for your connections. On the Settings tab, under Attribute, set the attribute to User-Name and click Add. In the Find field enter the UPN suffix domain name @domain.com. In the replace field leave it blank.
With this in place users are still able to authenticate, and accounting now sends the user name as just the prefix, basically the SamAccountName instead of UPN, and the sensor agent is able to properly report it.
I can't leave it like this for now. It would be better if the sensor agent could properly handle UPNs.
Jan 27 2021 05:18 AM
Solution@Jason1330 Thanks for the feedback, we're incorporated it into our engineering plans
Jan 27 2021 12:29 PM
I was able to come up with a satisfactory user-name attribute regex filter so that only the part before the @domain.com is used, and it is limited to 20 characters.
Find:
([^@]{1,20})(?:.*)
Replace:
$1
This works perfectly in our environment, including users with very long names.
Jan 27 2021 05:18 AM
Solution@Jason1330 Thanks for the feedback, we're incorporated it into our engineering plans