DUO + VPN - issues

milanuremovic · ‎02-18-2022

Hi there,

I have a implementation of VPN (RADIUS auth) utilizing DUO proxy. Works fine except when, for example, client is having wifi connectivity issues (low signal, automatic change of wifi network, etc), therefore VPN does reconnect. At that point, since it has no sense of having DUO due to the radius protocol, DUO push notifications can be annoying and/or counterproductive and I fully understand why it behaves like this (technically).

Now, since this is happening, in some cases more that others, I would like to know did anyone had similar issues and how did they resolved it or is there any half-elegant way of resolving it?

Many thanks

DuoKristina · ‎02-18-2022

Does your VPN have any concept of a stored auth that dampens repeated login requests? For example, Palo Alto GlobalProtect has an auth cookie that minimizes repeated OTP.

ETA the solutions I am aware of originate at the authenticating device.

Duo, not DUO.

milanuremovic · ‎02-21-2022

I have no idea, but I will take a look (Barracuda CloudGen firewall). Thanks

jwaits · ‎02-18-2022

Any user with unstable internet is likely going to have an annoying experience, but I don’t think there’s any great solution to this if you’re stuck with RADIUS. If your VPN provider supports SAML, migrating to SSO for VPN login is a more elegant way to handle auth. This also lets you take advantage of all other Duo features like passwordless, device health, trusted devices, etc. I’m demoing this right now on some test FortiGate units.

milanuremovic · ‎02-21-2022

Yes, that is true, just having been thinking that somebody had similar experience and did manage to overcome it, in some weird way I am assuming that FortiGate, you are demoing, is SSL VPN solution, because this one (Barracuda CloudGen firewall) is traditional vpn client and/or solution. Thanks