Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24033
Views
1
Helpful
16
Replies

DUO Proxy: Radius doesn't seem to answer

Go to solution
PowerValve
Level 1
Level 1

‎06-19-2018 12:08 PM

Hi all

I am trying to setup a duo proxy to add 2fa to our rras server.

So I installed the duo proxy on a fresh 2016 server, configured the conf file and setup AD sync. It synced a newley created group just fine. I also enrolled my user.

On the RRAS Server I switched to RADIUS Authentification, added the IP address and the shared secret of the Duo Server.

When I try to connect to the vpn it prompts for username/password. I tried “domain\user” and “password,push”, but no matter what I do, i am just getting a timeout.

So I opened a netstat -a on the Duo server to search for incoming connections, but there is nothing.
I tried a telnet to port 1812 on the Duo server but no answer.

Any ideas? Thanks in advance!

Cheers
Uwe

here is my config (I XXXXX’ed some parts…)
_
[cloud]
ikey=DI----------------DO
skey=12e1fv-------------------------z4ToiE
api_host=■■■■

[ad_client]
; The hostname or IP address of your domain controller
host=10.1.111.5
host_2=10.1.111.4
host_3=10.1.111.1
service_account_username=svc2fa
service_account_password=xxxxxxxxxx
search_dn=DC=xxxxxxxxx,DC=local

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxxx
■■■■
api_host=■■■■
radius_ip_1=10.0.1.15
radius_secret_1=DuoSecurityIsTheKey
failmode=safe
client=ad_client
port=1812

Labels:
16 Replies 16

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to jwaits

‎08-04-2020 07:52 AM

Hey @Jason_Waits, I wonder if you’ve run into a bug we identified with the Duo Authentication Proxy as a RADIUS client with NPS (unrelated to the issue raised by the original poster or the Status-Server message question).

Did you happen to take a packet capture of the traffic between the v4 Duo proxy and NPS when the FortiGate auths failed? There is a bug in the recent releases (with a planned fix) where if the RADIUS accept from the upstream server (NPS in this case) contained multiple class attributes with different values the Duo proxy incorrectly dropped the packet with the “invalid authenticator” message.

Duo, not DUO.
0 Helpful

Go to solution
jwaits
Level 1
Level 1
In response to DuoKristina

‎08-04-2020 09:00 AM

Hi @DuoKristina,

That does sound like my exact issue. I didn’t take a packet capture, but looking at the logs I had saved, I found this:

2020-06-17T17:49:42-0700 [RadiusClient (UDP)] dropping packet from x.x.x.x:1812 - response packet has invalid authenticator

Glad to know there’s a fix in the works.

Thanks,
Jason

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents