Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
639
Views
0
Helpful
3
Replies

Added secondary domain for failover but DUO prompts are failing

Jimmy786
Level 1
Level 1

‎07-17-2023 07:53 PM

So, I added an additional Domain Controller as a backup however Duo does not work when the primary DC is down. I get following error not sure what is the cause, I looked up DUO website and it says secret password could be wrong which is not the case. 

I see the following error:

[DuoForwardServer (UDP)] Sending request for user u'test' to ('192.168.1.2', 1812) with id 244
2023-07-17T21:19:34-0400 [RadiusClient (UDP)] dropping packet from 192.168.1.2:1812 - response packet has invalid authenticator

0400 [-] Request timeout for (outgoing) id 244 to ('192.168.1.2', 1812)
2023-07-17T21:19:42-0400 [-] (('10.1.2.1', 25580), 58): Error performing primary authentication: RADIUS auth request timed out
2023-07-17T21:19:42-0400 [-] (('10.1.2.1', 25580), 58): Returning response code 3: AccessReject
2023-07-17T21:19:42-0400 [-] (('10.1.2.1', 25580), 58): Sending response

entries in authproxy file is added as following:

[radius_client]
host=192.168.1.1
host_2=192.168.1.2
secret=xxxxxxxxxxxxx
pass_through_all=true
;[ad_client]
;host=192.168.1.1
;host_2=192.168.1.2

 

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎07-18-2023 06:09 AM

If you are using `radius_client`, then the two host entires need to be upstream RADIUS servers for primary authentication.

You mention domain controllers; are both of your domain controllers also running the NPS role to accept incoming RADIUS requests?

If so, did you try double-checking the secret configured in NPS for the Duo Authentication Proxy client on the .2 server to make sure that it is set to the same value as the secret configured for the Duo Authentication Proxy client on the .1 server?

What version of the Duo proxy are you running? There was a bug in the Authentication Proxy application where receiving multiple class attributes in the accept response from the upstream RADIUS server caused this error, but it was fixed in version 4.1.0.

If these suggestions don't help, please open a case with Duo Support. Additional troubleshooting may require you to send them information from your server which should not be posted in a public forum, like the full authproxy.log and authproxy.cfg and a packet capture of the RADIUS authentication attempt. 

 

Duo, not DUO.
0 Helpful

Jimmy786
Level 1
Level 1
In response to DuoKristina

‎07-18-2023 10:08 AM

Hi DuoKristina
Find my answers below in bold and underlined texts:
You mention domain controllers; are both of your domain controllers also running the NPS role to accept incoming RADIUS requests? YES
If so, did you try double-checking the secret configured in NPS for the Duo Authentication Proxy client on the .2 server to make sure that it is set to the same value as the secret configured for the Duo Authentication Proxy client on the .1 server? YES
What version of the Duo proxy are you running? There was a bug in the Authentication Proxy application where receiving multiple class attributes in the accept response from the upstream RADIUS server caused this error, but it was fixed in version 4.1.0. I am using version 4.2.01263
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Jimmy786

‎07-19-2023 05:35 AM

Seems like you'll benefit from contacting Duo support if you already verified those other items I mentioned.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents