cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1134
Views
0
Helpful
15
Replies

Duo connectivity tool can't connect to DCs on port 1812

t-antony
Level 1
Level 1

My domain is company.local, and I use admin@company.local to authenticate to RADIUS.  The Duo proxy service is running on 10.0.0.17, and NPS on DCs 10.0.0.15 & 10.0.0.16 all on the default ports 1812 / 1813.

Recently we change the UPN for users to .com, for example user.com, and since then when I login to Aruba switch, I'm not getting the Duo prompt.  On the Aruba switch, I enter admin@company.local, and the password, it's supposed to prompt for a Duo push but its not doing that now.  

I'm not sure why this happens since only the user UPN was changed from .local to .com.  But I'm logging in with the same admin account as before, on .local.

Capture.PNG

15 Replies 15

t-antony
Level 1
Level 1

This is the log file from connectivity tool.

DELETING LOG FILE

t-antony
Level 1
Level 1

I verified on 10.0.0.15 & 10.0.0.16 that NPS is running on UDP 1812.

Also checked the config file on the RADIUS server 10.0.0.17 when Duo Proxy server is installed that its set to port 1812 for both 10.0.0.15 & 10.0.0.16.  I'm able to ping both NPS servers from the RADIUS server.

No other changes were made except adding .com to users only.  Domain and admin account is still .local as before.

t-antony
Level 1
Level 1

The RADIUS stopped working once the UPN .com were added to users, but the confusing part is that I'm using my admin account on .local as before, so it should be working.  I also checked NPS and its set to ports 1812 / 1813.

DuoKristina
Cisco Employee
Cisco Employee

>This may also happen if the upstream RADIUS Server does not support the Status-Server message

NPS in fact does not support the Status-Server message. So you can ignore that output from the connectivity tool; that particular test won't ever succeed against NPS.

Enable debug in your authproxy.cfg (add a [main] section at the top if it doesn't exist, and in that section add the line debug=true), cycle the Duo Authentication Proxy service, and try your auth again. After, check the debug-level output in authproxy.log to see what's happening to the login requests coming from your Aruba.

Duo, not DUO.

Thanks, I'll ignore that Status-Server message.

I did what you said, and I'm attaching the log file here.  itsupport.admin is what I always used to login to Aruba switches before we added the .com to users.  But itsupport.admin was not changed.  It was itsupport.admin@company.local before, and now.  Since that account doesn't need to sync to Azure.

From the log file it looks its communicating from Aruba switch 10.0.0.4 on port 1812.  10.0.0.15 / 10.0.0.16 are the DCs where NPS is running.  It looks like its on a loop.

On the Duo admin page  ->  Applications we have LDAP Proxy and RADIS.

The user name normalization is set to Simple for LDAP Proxy, and None for RADIUS.  Like it was always been.

t-antony
Level 1
Level 1

I also double checked the NPS settings and they're all correctly pointing to the right ports 1812, 1813, also to right AD security groups.  Same as before.

t-antony
Level 1
Level 1

I should mention that on server 10.0.0.17, we have Duo Authentication Proxy running, and 2 weeks ago also Azure AD.

Not sure if that would cause any issues.

t-antony
Level 1
Level 1

We have RADIUS, LDAP Proxy and RDP applications in Duo.  Only RDP works now because we have the Duo MFA installed in our workstations.

Just to make sure I understand how this works, does LDAP Proxy and RADIUS connect to Duo cloud and back to authenticate.  What about RDP?  Does it communicate to Duo cloud, or the local Duo Proxy server for authentication?

I suggest you delete the log file you posted, as it reveals information specific to your Duo customer account, and contact Duo Support.

Unless you configured your Duo RDP server install to use an installation of Duo Authentication Proxy as an HTTP proxy server, the Duo RDP application contacts Duo's cloud service directly.

I can tell from the log you posted though that your auth attempts aren't making it past your upstream RADIUS server. It looks like it keeps issuing a RADIUS AccessChallenge over and over without an AccessAccept. The log doesn't ever show an auth attempt making it past primary RADIUS auth against your own server to move on to the next step of contacting Duo's cloud service - you would see posts to our /preauth and /auth endpoints in the log if it had.

Duo, not DUO.

t-antony
Level 1
Level 1

I deleted the log file.

Something else you could try before contacting Duo Support is this:

  1. Take a Wireshark capture at the Duo Authentication Proxy server while you reproduce the issue.
  2. Use Wireshark's ability to decode radius packets (you go in its preferences, find the RADIUS option under protocols, and enter the shared secret for your NPS server to decode those packets).
  3. Look at the contents of the packets that are going to/from your NPS server and the Duo proxy to see what's happening during RADIUS primary authentication.

Maybe also look at the NPS logging for relevant events if you haven't already.

Duo, not DUO.

t-antony
Level 1
Level 1

Thanks, I'll do a wireshark capture. I noticed that I'm getting this in the Windows event viewer when I try to login.

Eap method DLL path name validation failed. Error: typeId=254, authorId=311, vendorId=14122, vendorType=1

This is the log from Duo when I tried to login. Same time as from the event viewer error above.

  • 10.0.0.166 is my computer
  • 10.0.0.3 is the switch
  • 10.0.0.17 is the radius server, where Duo Proxy is installed
  • The 2 DCs where NPS is 10.0.0.15 & 10.0.0.16 I expect them to be here, but I don't see it.

"REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,11,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 1",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,1,"admin","company\admin",,"10.0.0.166",,,"Ridge-Core-48","10.0.0.3",,0,"10.0.0.17","REI-Util01",,,5,,,7,5,"SwitchRadiusAuth",0,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,184549376,,,,,"SwitchAdminAuthCRP",1,,,,
"REI-DC01","IAS",05/26/2024,18:57:16,3,,"company\admin",,,,,,,,0,"10.0.0.17","REI-Util01",,,,,,,5,"SwitchRadiusAuth",22,"311 1 10.0.0.15 05/26/2024 22:33:05 2",,,,"",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"SwitchAdminAuthCRP",1,,,,

t-antony
Level 1
Level 1

I entered ip.addr == 10.0.0.17 on Wireshark, and entered the secret key in preferences, radius.

When I login to the switch, I see nothing on Wireshark.

I checked the NPS logs, and they're the same as I posted before.  

Quick Links