DUO VPN Application for WIN10 and MAC

The duo component resides on a server in proximate to the VPN server.
The VPN device will rely on NPS.

It does not require any changes on the client side.

Clarify your question.

What is the issue you are trying to reaolve?

Arnold, thank you for the fast reply. Clients make a VPN connection then RDP into their office computers. DUO 2FA is configured using RDP and prompts during computer access. Goal is have them use 2FA during VPN and not while logging into their office computers. 

Then you follow the Duo setup instructions to make your vpn use the 2FA. It is similar, but different depending on what your vpn is running on, ie firewall, or windows itself...

You have to tie in DUO into the VPN

What are your VPN vendors
Deals with DEFIjing AAA
Two step authorize authenticate

Check DUO guide for the VPN hardware you have.
Deals with NPS/radius..

An example, reference if you have an ASA FW and VPN

https://duo.com/docs/cisco

Backend: SonicWall TZ400 firewall, using built in VPN solution, L2TP server to be more specific.
Frontend: default Microsoft (WIN10) and MACbook Pro devices built in VPN
VPN type: L2TP/IPsec, with pre-shared key

@arnold, does this mean the RADIUS server points to the SonicWall L2TP/ipsec server? 

Got the duo authenticator proxy running on the server, cfg issues.

Pointed it to the radius server on the Sonicwall now the question is Duo doesn't exactly support Sonicwall TZ series configuration, they have this article that gives enough direction but then duo support recommends if more instruction is needed to contact Sonicwall support. 

Would it better to turn off the radius server on the Sonicwall and configure on the Microsoft 2016 standard server where the proxy server is installed?

Does the login auth against the LDAP on the windows server?

I.e. does your current auth aga iij inst an AD?

Try the suggestion they hve first.

See if the following helps

https://duo.com/docs/radius

Does the login auth against the LDAP on the windows server? 

I configured LDAP on the server awhile back but ended up manually adding users. After adding the RADIUS application I didn't touch LDAP, only configured Duo RADIUS to connect to the SonicWall Radius server.

I.e. does your current auth aga iij inst an AD?

I have no idea what auth aga iij an AD. I'm thinking you meant to write auth against an AD. Only interaction installing RADIUS with AD is when we created a user account to run the service under. It had no problem contacting the local domain. However, I don't believe this has anything to do with LDAP, I could be wrong though.

Checked the .cfg file and we have [ad_client] which is pointing to AD and another entry for the Duo Authentication Proxy radius to connect to the Sonicwall radius server.

we also turned on debugging that I'm going to look into if any logs were created. 

Duo Authenticator is not pulling from AD, I just tried to do a sync and it's not showing connected.

Does this mean that VPN users are bypassing the radius server? To me points back to the SonicWall radius configuration, which is really not clear on Duo's side.

May have the opportunity to work with a SonicWall tech this afternoon. I'm not sure where the local users on the SonicWall and Radius users are created. 

Lets try it another way.

Do users who connect via VPN use sonicwall local users?

You have one step authenticated user/password
The next step is to authorize which is when duo would kick-in?

Have a look at the link it might help.

You can have a mix of local and AD users.

Do users who connect via VPN use sonicwall local users?

yes

You have one step authenticated user/password.
The next step is to authorize which is when duo would kick-in 

this is where I'm uncertain. I see the option in the SonicWall but I haven't checked it because it's for radius accounting, which I believe is different than radius.
I looked at the link you sent last time and believe I have everything configured correctly. I'm looking into LDAP now seeing there may be an issue here.

You can have a mix of local and AD users.

I see the option in SonicWall Radius configuration to choose RADIUS + Local Users, is there an option in Duo I'm overlooking? 

This will then be a realm defined that will proxy the request to the AD NPS 

this may be the issue. Speaking with DUO support they claim that "often" NPS doesn't need to be configured and the RADIUS application, Duo Authentication Proxy, and SonicWall RADIUS server configured should work.

I've thought about installing NPS on the server but haven't deployed yet, my thinking less configuration if it's not needed. 

I now have directory sync working.

When I test the SonicWall RADIUS server it passes the user authentication test. DUO RADIUS and the SonicWall Radius server are talking to one another because it sends a 2FA to the mobile app. I'm testing using an account in AD. 

What's left now, when I make a VPN connection the link between the laptop device, using WIN10 default VPN configuration allows a VPN connection but doesn't send 2FA to the mobile app.   

You have to check whether your sonicwall has a two step.
Authenticate, authorize as two distinct requirementa.

You need to split the begavior.
Commonly login credentials both authenticate and authorize. In your situation you auth first, then authorize.

See if this link has info that can get you further along.
It might be part of the reply items

I didn't have to configure NPS for this to work, instead, I configured the RADIUS component on the SonicWall to point to Active Directory. I installed the DUO RADIUS