Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6752
Views
0
Helpful
9
Replies

Duo Auth Proxy + HP Procurve Switches

samuraizero1
Level 1
Level 1

‎07-12-2019 11:08 AM

Anyone having success with Duo 2FA + Radius authentication?

I can make it work on other utilities, but not HP switches. Duo support hasn’t been able to figure out why, either.

Anyone out there?

Labels:
0 Helpful
9 Replies 9

tfridlington
Level 1
Level 1

‎07-19-2019 08:08 AM

I got it working on newer ones (Aruba branded). At first I tried Switch:RADIUS -> Auth-Proxy:LDAP -> AD, which didn’t work. The switch is looking for a RADIUS attribute to be returned. So I had to spin up an NPS server and go Switch:RADIUS -> Auth-Proxy:RADIUS -> NPS. Also had to set the “pass_through_all” switch to true in the Proxy Auth for both client and server sections of the config. Hope this helps!

0 Helpful

samuraizero1
Level 1
Level 1
In response to tfridlington

‎07-19-2019 08:22 AM

Hey, yes

Helpful!
We’re using non aruba branded, but it should be the same firmwares.

Can you describe your setup a little more thoroughly?

I tried a number of configurations, and when I was able to get the duo prompt and everything but it would deny on the last step and just not sign me into the switch.

If I’m understanding correctly your config looks like this

Switch points Radius to NPS - > your rules are set to authenticate on Auth Proxy? -> auth proxy rule accepts?

Sorry if thats worded poorly, but I’ve tried a number of different combinations with no luck so would love to understand your setup better

Thanks Tfridlington

0 Helpful

samuraizero1
Level 1
Level 1
In response to tfridlington

‎07-19-2019 08:27 AM

Ah I see what you’re saying.

You went Switch -> Auth Prox
Auth Prox -> NPS

This was my setup originally as well - where the duo prompt comes, radius approves the request, but still get access denied.
This is with the pass through all set as well

0 Helpful

tfridlington
Level 1
Level 1
In response to samuraizero1

‎07-19-2019 08:58 AM

Did you have pass_through_all in both server and client sections? Here is a snippet of my config

[radius_client]
host=xxx.xxx.xxx.xxx
host_2=xxx.xxx.xxx.xxx
secret=xxxxxxxxxxxxxx
pass_through_all=true

[radius_server_auto]
ikey=xxxxxxxxxxxxx
skey=xxxxxxxxxxxxxx
api_host=xxxxxxxxxxxxx
radius_ip_1=xxx.xxx.xxx.xxx
radius_secret_1=xxxxxxxxx
radius_ip_2=xxx.xxx.xxx.xxx
radius_secret_2=xxxxxxxxxxx
failmode=safe
client=radius_client
pass_through_all=true
port=1812

0 Helpful

samuraizero1
Level 1
Level 1
In response to tfridlington

‎07-19-2019 09:54 AM

My config has changes so many times that I cant remember if I had pass through all in both spots, but ill try it out again

0 Helpful

samuraizero1
Level 1
Level 1
In response to tfridlington

‎07-19-2019 09:56 AM

[radius_client]
host=xxx.xxx.xxx.xxx (Switch 1)
host_2=xxx.xxx.xxx.xxx (Switch 2)
secret=xxxxxxxxxxxxxx
pass_through_all=true

[radius_server_auto]
ikey=xxxxxxxxxxxxx Duo Key
skey=xxxxxxxxxxxxxx Duo Skey
api_host=xxxxxxxxxxxxx Duo API Host
radius_ip_1=xxx.xxx.xxx.xxx Radius Server IP
radius_secret_1=xxxxxxxxx Radius Secret
radius_ip_2=xxx.xxx.xxx.xxx Second radius Server IP
radius_secret_2=xxxxxxxxxxx Radius Secret
failmode=safe
client=radius_client
pass_through_all=true
port=1812

Am I understanding this correctly?

0 Helpful

samuraizero1
Level 1
Level 1

‎07-19-2019 10:13 AM

This is my sanitized config.
HP Switch points Radius at the duo auth server, duo auth hits radius for secondary authentication and filtering

[radius_client]
host=RADIUS.HOST.IP
secret=radiusecret
pass_through_all=True

[radius_server_auto]
ikey=myikey
skey=myskey
api_host=■■■■
radius_ip_1=SWITCH IP
radius_secret_1=radiussecret
failmode=safe
client=radius_client
pass_through_all=True
port=1812

This all seemingly works fine - Duo prompt comes in which I accept, the radius server gets a request which it approves, and then the switch throws “access denied”
It’s pretty frustrating!

0 Helpful

egb1992
Level 1
Level 1
In response to samuraizero1

‎03-02-2021 01:08 AM

Hey Man, I found this thread yesterday whilst setting up MFA for my procurve switches and found it useful. I got stuck at the same point and found I had to set the radius attribute in Windows NPS as “Service-Type - Administrative”. This is done under the network policies settings tab. The switch then logins in like a beaut. I suspect you already worked this out but incase anyone else out there is stuck you might find this useful!

0 Helpful

jchaney
Level 1
Level 1

‎12-27-2022 01:51 PM

Gonna give this a shot. I have DUO and I configured my Procurve Switch to authenticate using my Radius Duo Proxy. But when I do I don’t have admin permissions as a user. I can only use the diagnostic tool. What other steps do I need to perform to be able to be able to be a admin(managment user)?

Thanks

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents