Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
6
Replies

Authorization failed message after receiving a DUO MFA prompt

Go to solution
Gregory Forster
Level 1
Level 1

‎08-01-2023 12:21 PM

Good Afternoon,

I have configured my Catalyst 2960L-16PS switch to use RADIUS. The RADIUS servers are the DUO AUTH-Proxies. When I try to log on to the switch I get the DUO MFA prompt to approve or decline, but as soon as I approve it gives me an "Authorization Failed" error and the putty window closes.

Is there something that needs to be configured on the DUO side in order for this to work?

I have included my switch config below.

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
service counters max age 10
!
hostname USNYC1-TESTSW01
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 $1$oFqL$uMPm228c9FooLINHNiJkw0
!
username tptadmin privilege 15 secret 5 $1$HifD$e6CaqItzgcnp2zb2lCSR91
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS-GP
server name AuthProxy1
server name AuthProxy2
deadtime 15
!
aaa authentication login default group RADIUS-SERVERS-GP local
aaa authentication login AAA-AUTHEN-LIST group RADIUS-SERVERS-GP local-case
aaa authentication login LOCAL-ONLY local
aaa authentication login CONSOLE group RADIUS-SERVERS-GP local
aaa authentication enable default group RADIUS-SERVERS-GP enable line
aaa authorization console
aaa authorization exec default if-authenticated
aaa authorization exec CONSOLE local
aaa authorization exec AAA-AUTHOR-LIST group RADIUS-SERVERS-GP if-authenticated
aaa authorization network default group RADIUS-SERVERS-GP if-authenticated
aaa authorization network groupauthor local
aaa accounting update newinfo periodic 2880
aaa accounting exec default start-stop group RADIUS-SERVERS-GP
aaa accounting exec AAA-ACCT-LIST start-stop group RADIUS-SERVERS-GP
aaa accounting network default start-stop group RADIUS-SERVERS-GP
aaa accounting connection default start-stop group RADIUS-SERVERS-GP
aaa accounting system default start-stop group RADIUS-SERVERS-GP
!
aaa session-id common
!
!
no ip domain-lookup
ip domain-name tpnyc.local
ip name-server 10.x.x.x
ip name-server 10.x.x.x
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
description 'Uplink to Network'
switchport access vlan 102
switchport mode access
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface Vlan1
description 'DO NOT USE'
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Vlan102
description 'Site-Mgmt'
ip address 10.x.x.x x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway 10.x.x.x
ip http server
ip http secure-server
!
ip radius source-interface Vlan102
!
!
!
!
radius server AuthProxy1
address ipv4 10.x.x.x auth-port 1812 acct-port 1813
timeout 4
retransmit 1
automate-tester username radiustest ignore-acct-port
key 7 11330A15403D02025730000F1D1B65283B354F370C46
!
radius server AuthProxy2
address ipv4 10.x.x.xauth-port 1812 acct-port 1813
timeout 4
retransmit 1
automate-tester username radiustest ignore-acct-port
key 7 012915140C240F01725665222C2D4718233E5D1E2634
!
!
line con 0
logging synchronous
login authentication LOCAL-ONLY
line vty 0 4
authorization exec CONSOLE
accounting exec AAA-ACCT-LIST
logging synchronous
login authentication AAA-AUTHEN-LIST
transport input ssh
line vty 5 15
authorization exec CONSOLE
accounting exec AAA-ACCT-LIST
logging synchronous
login authentication AAA-AUTHEN-LIST
transport input ssh
!
ntp logging
ntp authenticate
ntp source Vlan102
ntp server 10.32.51.50 prefer

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-01-2023 03:25 PM

Hi,

I'm guessing the issue is the following, assuming you're logging in via SSH.

Your vty config has:
authorization exec CONSOLE

And your aaa config has:
aaa authorization exec CONSOLE local

So once the authentication (via duo) is done, the switch tries to verify the access authorization to users configured locally on the switch.

So if you're using usernames that do not exist on the switch, you will fail the authorization.

You could either change the authorization CONSOLE to if-authenticated or depending on your authentication backend to authorize via RADIUS.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎08-01-2023 03:25 PM

Hi,

I'm guessing the issue is the following, assuming you're logging in via SSH.

Your vty config has:
authorization exec CONSOLE

And your aaa config has:
aaa authorization exec CONSOLE local

So once the authentication (via duo) is done, the switch tries to verify the access authorization to users configured locally on the switch.

So if you're using usernames that do not exist on the switch, you will fail the authorization.

You could either change the authorization CONSOLE to if-authenticated or depending on your authentication backend to authorize via RADIUS.

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Jonatan Jonasson

‎08-01-2023 03:33 PM

Jonatan,

Thank you. I did not think of that. I will give that a try and let you know the results.

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Jonatan Jonasson

‎08-03-2023 05:26 AM

Thank you Jonatan, I am able to authenticate, but now I am getting 'invalid user' when I try to access privilege mode. Any idea on why that is happening?

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Gregory Forster

‎08-03-2023 05:58 AM

Ok so I added privilege level 15 to line vty 0 4 and that worked, but I do not this this is the proper way to set this up using best practices.

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Gregory Forster

‎08-03-2023 06:58 AM

Also I discovered that none of the local accounts that are set up on the switch can log in. I get 'Invalid User' when I try to access the switch via console cable and a local user account.

0 Helpful

Go to solution
Gregory Forster
Level 1
Level 1
In response to Gregory Forster

‎08-03-2023 08:24 AM

Jonatan,

Disregard my question here. It is self explanatory. I would not be able to login locally so long as the Radius servers are available.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card