Solved: NetExtender with admin bypass code

ChrisRoberts · ‎02-26-2024

Hello, I'm having a difficult time getting anything other than a Duo Mobile Push notification or placing the VPN user in bypass mode to work with NetExtender VPN. The VPN functions normally with the password field containing only a password, but when I try to use the option to control the Duo factor option (Duo Two-Factor Authentication with RADIUS and Primary Authentication | Duo Security - "Alternatively you may add a comma (",") to the end of your password and append a Duo factor option") I only get "Incorrect username or password." What I would prefer is to use [password],[bypass code] so that only a single-use bypass code is needed. The use case is to remotely join new computers to the domain, so creating a single-use bypass code is preferred to putting the user in bypass. Testing further with [password].phone and [password].[Yubikey code] do not work either. Is there a setting in the Auth Proxy that is required to allow this functionality?

Ken Stieers · ‎02-27-2024

Take a look a this https://duo.com/docs/authproxy-reference#server-sections
Specifically the section on RADIUS Auto.
Depending upon how your NetExtender is encrypting passwords, you may not be able to use
Pretty sure it has to be PAP... Also check your Delimiter, Allow_concat settings

Or if you're using Radius_Concat (which requires the comma and code), again, you have to use PAP.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

View solution in original post

Ken Stieers · ‎02-27-2024

Take a look a this https://duo.com/docs/authproxy-reference#server-sections
Specifically the section on RADIUS Auto.
Depending upon how your NetExtender is encrypting passwords, you may not be able to use
Pretty sure it has to be PAP... Also check your Delimiter, Allow_concat settings

Or if you're using Radius_Concat (which requires the comma and code), again, you have to use PAP.

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.