cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
1
Replies

Duo Proxy Fails During Challenge

Jer1
Level 1
Level 1

I’m trying to set up Duo Security Authentication Proxy with the CyberArk application. This worked previously in April. But trying this again, I am getting odd behavior. It’s like the preauthentication works, and I get challenged for push, call, or SMS. When I select an option, I get an authentication failure. In the logs of the proxy it’s as if the challenge response is being treated as an entirely new authentication.

2018-09-13T11:27:42-0400 [-] DuoForwardServer starting on 1812
2018-09-13T11:27:42-0400 [-] Starting protocol <duoauthproxy.lib.forward_serv.DuoForwardServer object at 0x032E6410>
2018-09-13T11:27:42-0400 [-] AD Client Module Configuration:
2018-09-13T11:27:42-0400 [-] {'host': '10.0.1.50',
	 'search_dn': 'DC=CyberArkdemo,DC=com',
	 'service_account_password': '*****',
	 'service_account_username': 'mike'}
2018-09-13T11:27:42-0400 [-] RADIUS Challenge Server Module Configuration:
2018-09-13T11:27:42-0400 [-] {'■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■',
	 'client': 'ad_client',
	 'failmode': 'safe',
	 'ikey': '■■■■■■■■■■■■■■■■■■■■',
	 'port': '1812',
	 'radius_ip_1': '10.0.1.10',
	 'radius_secret_1': '*****',
	 'skey': '*****[40]'}
2018-09-13T11:27:42-0400 [-] Duo Security Authentication Proxy 2.9.0 - Init Complete
;;;;;;;;;;;; INITIAL Authentication
2018-09-13T11:28:09-0400 [DuoForwardServer (UDP)] Sending request from 10.0.1.10 to radius_server_challenge
2018-09-13T11:28:09-0400 [DuoForwardServer (UDP)] Received new request id 27 from ('10.0.1.10', 52505)
2018-09-13T11:28:09-0400 [DuoForwardServer (UDP)] (('10.0.1.10', 52505), 27): login attempt for username u'len'
2018-09-13T11:28:09-0400 [DuoForwardServer (UDP)] Sending AD authentication request for 'len' to '10.0.1.50'
2018-09-13T11:28:09-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x0337C790>
2018-09-13T11:28:09-0400 [_ADAuthClientProtocol,client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth
2018-09-13T11:28:09-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2018-09-13T11:28:09-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x0337C790>
2018-09-13T11:28:10-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('10.0.1.10', 52505), 27): Duo preauth returned 'auth'
2018-09-13T11:28:10-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('10.0.1.10', 52505), 27): Sending authentication challenge packet
2018-09-13T11:28:10-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('10.0.1.10', 52505), 27): Returning response code 11: AccessChallenge
2018-09-13T11:28:10-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('10.0.1.10', 52505), 27): Sending response
2018-09-13T11:28:10-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
;;;;;;;;;;;; SENDING CHALLENGE RESPONSE
2018-09-13T11:28:14-0400 [DuoForwardServer (UDP)] Sending request from 10.0.1.10 to radius_server_challenge
2018-09-13T11:28:14-0400 [DuoForwardServer (UDP)] Received new request id 244 from ('10.0.1.10', 52506)
2018-09-13T11:28:14-0400 [DuoForwardServer (UDP)] (('10.0.1.10', 52506), 244): login attempt for username u'len'
2018-09-13T11:28:14-0400 [DuoForwardServer (UDP)] Sending AD authentication request for 'len' to '10.0.1.50'
2018-09-13T11:28:14-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033C4730>
2018-09-13T11:28:14-0400 [_ADAuthClientProtocol,client] LDAP Authentication Failed: 'invalidCredentials: 8009030C: LdapErr: DSID-0C0904F8, comment: AcceptSecurityContext error, data 52e, v2580\x00'
2018-09-13T11:28:14-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 52506), 244): Primary credentials rejected - User Authentication Failed
2018-09-13T11:28:14-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 52506), 244): Sending access reject packet
2018-09-13T11:28:14-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 52506), 244): Returning response code 3: AccessReject
2018-09-13T11:28:14-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 52506), 244): Sending response
2018-09-13T11:28:14-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033C4730>
;;;;;;;;;;; ATTEMPT TO USE PASSWORD,SMS format
2018-09-13T11:37:07-0400 [DuoForwardServer (UDP)] Sending request from 10.0.1.10 to radius_server_challenge
2018-09-13T11:37:07-0400 [DuoForwardServer (UDP)] Received new request id 213 from ('10.0.1.10', 56389)
2018-09-13T11:37:07-0400 [DuoForwardServer (UDP)] (('10.0.1.10', 56389), 213): login attempt for username u'len'
2018-09-13T11:37:07-0400 [DuoForwardServer (UDP)] Sending AD authentication request for 'len' to '10.0.1.50'
2018-09-13T11:37:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033C4330>
2018-09-13T11:37:07-0400 [_ADAuthClientProtocol,client] LDAP Authentication Failed: 'invalidCredentials: 8009030C: LdapErr: DSID-0C0904F8, comment: AcceptSecurityContext error, data 52e, v2580\x00'
2018-09-13T11:37:07-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 56389), 213): Primary credentials rejected - User Authentication Failed
2018-09-13T11:37:07-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 56389), 213): Sending access reject packet
2018-09-13T11:37:07-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 56389), 213): Returning response code 3: AccessReject
2018-09-13T11:37:07-0400 [_ADAuthClientProtocol,client] (('10.0.1.10', 56389), 213): Sending response
2018-09-13T11:37:07-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033C4330>

I recreated the cyberark-radius secret file, though communication between cyberark and the radius server seems to be ok. AD/LDAP bind seems to be working fine, but I reset those credentials as well. I verified "Len"s credentials are correct.

Basically, why is the Duo Proxy treating the challenge response as an entirely new authentication, and/or why isn’t the Duo Proxy parsing the password,method format correctly? (note: password,token behaves the same way).

Thanks for your time.

1 Reply 1

mkorovesisduo
Level 4
Level 4

Hi Jer, please contact Duo Support for help with your issue.

Quick Links