Hi @robertomcstabby ! Sorry you're having issues.
The Duo Authentication Proxy is intended to sit in-between the authenticating device (Palo Alto?) and your primary authentication server.
Before: Palo Alto ----> An LDAP/AD or RADIUS server
After: Palo Alto ------> Duo Authentication Proxy ------> An LDAP/AD or RADIUS server
What was your Palo Alto pointing to before for primary authentication? Whatever that was, you need to add a radius_client or ad_client section to your authproxy.cfg which points to the primary authentication source. You then configure the Palo Alto to point to the Authentication Proxy so that it sends authentication requests there.
Then when you log into the Palo Alto GP profile, the PA device forwards the request to your Duo proxy, which in turn forwards the username and password to the primary authentication source AD/LDAP or RADIUS, and then after that succeeds it contacts Duo for 2FA before returning success/allow back to the PA device.
Configuring the radius_client or ad_client part of the config is addressed by the steps in the "Configure the Proxy for Your Primary Authenticator" section of https://duo.com/docs/paloalto. When you say "the actual Radius config of that said radius server that should come with the auth proxy" I think you mean "configure how the Duo proxy listens for RADIUS requests from the Palo Alto", which is addressed in the steps in the "Configure the Proxy for Your Palo Alto GlobalProtect" section of that page.
Regarding the output from the connectivity tool: some RADIUS server types just flat-out don't support the Status-Server message. Like, Microsoft NPS doesn't, so when radius_client points to an NPS server that test always fails. If you do know that your upstream RADIUS server does support the Status-Server message though (I think FreeRADIUS does), it does indicate some connectivity problem.
"Also a tcpdump on both the palo and the auth proxy don't show any port 1812 traffic whatsoever" I'm assuming you take this capture WHILE you are attempting to log in at the Palo Alto device?
- If you see no outbound packet go from the Palo Alto to the Duo Authentication Proxy when you try to log in then there is something wrong with the config on your Palo device.
- If you see an outbound packet leave the Palo but it isn't received at the Duo proxy server, then you may have a networking or firewall issue between the two.
- If you see an outbound packet leave the Palo and it's received at the Duo proxy server, but there is no record of the incoming access request in the authproxy.log, then it could be the port issue you mentioned (that some other service is already using the port that you are trying to have the Duo Authentication Proxy use for inbound auth).
If you installed the Duo Authentication Proxy on the same server that is your primary RADIUS server (like, you installed it on a FreeRADIUS server), then your existing RADIUS server has likely already claimed port 1812 for its use and that is why the Duo Authentication Proxy would say it can't use 1812. That is the scenario where you would change the port used by the radius_server_nnn section to something else, like 18120, so that the Duo proxy listens for incoming RADIUS requests on a port other than 1812, and then can forward the primary authentication requests to the RADIUS server that is already listening on port 1812. You also need to update the Palo config to send the outbound RADIUS request on port 18120 instead of port 1812.
So, end-to-end if you have the Duo Authentication Proxy installed on the same server that is your primary RADIUS server and the primary RADIUS server listens on port 1812, the communication between all three can wind up being:
Palo Alto ---[RADIUS port 18120]---> Duo Authentication Proxy ---[RADIUS port 1812]---> RADIUS server on localhost
Hope that helps!
Duo, not DUO.
