Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Tue, 01 Aug 2023 19:21:33 GMT

Good Afternoon,

I have configured my Catalyst 2960L-16PS switch to use RADIUS. The RADIUS servers are the DUO AUTH-Proxies. When I try to log on to the switch I get the DUO MFA prompt to approve or decline, but as soon as I approve it gives me an "Authorization Failed" error and the putty window closes.

Is there something that needs to be configured on the DUO side in order for this to work?

I have included my switch config below.

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
service counters max age 10
!
hostname USNYC1-TESTSW01
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 $1$oFqL$uMPm228c9FooLINHNiJkw0
!
username tptadmin privilege 15 secret 5 $1$HifD$e6CaqItzgcnp2zb2lCSR91
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS-GP
server name AuthProxy1
server name AuthProxy2
deadtime 15
!
aaa authentication login default group RADIUS-SERVERS-GP local
aaa authentication login AAA-AUTHEN-LIST group RADIUS-SERVERS-GP local-case
aaa authentication login LOCAL-ONLY local
aaa authentication login CONSOLE group RADIUS-SERVERS-GP local
aaa authentication enable default group RADIUS-SERVERS-GP enable line
aaa authorization console
aaa authorization exec default if-authenticated
aaa authorization exec CONSOLE local
aaa authorization exec AAA-AUTHOR-LIST group RADIUS-SERVERS-GP if-authenticated
aaa authorization network default group RADIUS-SERVERS-GP if-authenticated
aaa authorization network groupauthor local
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group RADIUS-SERVERS-GP
aaa accounting exec AAA-ACCT-LIST start-stop group RADIUS-SERVERS-GP
aaa accounting network default start-stop group RADIUS-SERVERS-GP
aaa accounting connection default start-stop group RADIUS-SERVERS-GP
aaa accounting system default start-stop group RADIUS-SERVERS-GP
!
aaa session-id common
!
!
no ip domain-lookup
ip domain-name tpnyc.local
ip name-server 10.x.x.x
ip name-server 10.x.x.x
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
description 'Uplink to Network'
switchport access vlan 102
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface Vlan1
description 'DO NOT USE'
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan102
description 'Site-Mgmt'
ip address 10.x.x.x x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 10.x.x.x
ip http server
ip http secure-server
!
ip radius source-interface Vlan102
!
!
!
!
radius server AuthProxy1
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
timeout 4
retransmit 1
automate-tester username radiustest ignore-acct-port
key 7 11330A15403D02025730000F1D1B65283B354F370C46
!
radius server AuthProxy2
address ipv4 10.x.x.xauth-port 1812 acct-port 1813
timeout 4
retransmit 1
automate-tester username radiustest ignore-acct-port
key 7 012915140C240F01725665222C2D4718233E5D1E2634
!
!
line con 0
logging synchronous
login authentication LOCAL-ONLY
line vty 0 4
authorization exec CONSOLE
accounting exec AAA-ACCT-LIST
logging synchronous
login authentication AAA-AUTHEN-LIST
transport input ssh
line vty 5 15
authorization exec CONSOLE
accounting exec AAA-ACCT-LIST
logging synchronous
login authentication AAA-AUTHEN-LIST
transport input ssh
!
ntp logging
ntp authenticate
ntp source Vlan102
ntp server 10.32.51.50 prefer

Re: Authorization failed message after receiving a DUO MFA prompt

Jonatan Jonasson — Tue, 01 Aug 2023 22:25:14 GMT

Hi,

I'm guessing the issue is the following, assuming you're logging in via SSH.

Your vty config has:
authorization exec CONSOLE

And your aaa config has:
aaa authorization exec CONSOLE local

So once the authentication (via duo) is done, the switch tries to verify the access authorization to users configured locally on the switch.

So if you're using usernames that do not exist on the switch, you will fail the authorization.

You could either change the authorization CONSOLE to if-authenticated or depending on your authentication backend to authorize via RADIUS.

Re: Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Tue, 01 Aug 2023 22:33:53 GMT

Jonatan,

Thank you. I did not think of that. I will give that a try and let you know the results.

Re: Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Thu, 03 Aug 2023 12:26:52 GMT

Thank you Jonatan, I am able to authenticate, but now I am getting 'invalid user' when I try to access privilege mode. Any idea on why that is happening?

Re: Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Thu, 03 Aug 2023 12:58:26 GMT

Ok so I added privilege level 15 to line vty 0 4 and that worked, but I do not this this is the proper way to set this up using best practices.

Re: Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Thu, 03 Aug 2023 13:58:38 GMT

Also I discovered that none of the local accounts that are set up on the switch can log in. I get 'Invalid User' when I try to access the switch via console cable and a local user account.

Re: Authorization failed message after receiving a DUO MFA prompt

Gregory Forster — Thu, 03 Aug 2023 15:24:40 GMT

Jonatan,

Disregard my question here. It is self explanatory. I would not be able to login locally so long as the Radius servers are available.

topic Re: Authorization failed message after receiving a DUO MFA prompt in Network Security

Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt

Re: Authorization failed message after receiving a DUO MFA prompt