08-03-2024 08:19 AM
Hello all, I am working on implementing DUO for one of our divisions. DUO Proxy Manager is setup and verified to work as we get push notifications upon logging in. We are able to approve the request and gain access through AnyConnect. However we do not have access to anything internal or external, cannot ping DNS ect. All of this is working on the previous AAA server profile but when moving to the DUO AAA server it does not. Nothing else is changing besides that authentication server profile. I do not see why this would be the case since everything else is staying the same and unsure what to try next.
08-03-2024 08:44 AM
Can I see the webvpn config and tunnel group
Thanks
MHM
08-03-2024 10:31 AM
I know it may complicate things but I had to omit a lot of the names and web addresses due to our security policies and such. Not sure if this was everything you were looking for but I included two configs. One with the current AAA server and the second with the AAA changed for DUO. I am working on airport related configurations
WORKING CONFIG
webvpn
anyconnect profiles value Airport_VPN type user
dynamic-access-policy-record _Dial_In_Users
priority 100
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record Local_Users
priority 97
username XXXX password XXXX encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group XX-Users type remote-access
tunnel-group XX-Users general-attributes
authentication-server-group VPN-RADIUS-XX
default-group-policy XX_Default
tunnel-group XX-Users webvpn-attributes
group-alias XX-Users disable
group-url https://XXXX enable
tunnel-group DT-CISCODUO type remote-access
tunnel-group DT-CISCODUO general-attributes
address-pool DTVPN_Access
authentication-server-group DUO-RADIUS
default-group-policy DT-CISCODUO
tunnel-group DT-CISCODUO webvpn-attributes
group-alias DT-DUO enable
group-alias DT-DUOTEST enable
tunnel-group Airport-Users type remote-access
tunnel-group Airport-Users general-attributes
authentication-server-group VPN-RADIUS-AIRPORT
default-group-policy Airport_Default
tunnel-group Airport-Users webvpn-attributes
group-alias Airport disable
group-url XXXX enable
tunnel-group XXX type remote-access
tunnel-group XXX general-attributes
authentication-server-group VPN-RADIUS
default-group-policy XXXXX_Default
tunnel-group XXXX webvpn-attributes
group-alias “XXXX” disable
group-alias XXXX disable
group-url /XXXX enable
!
NOT WORKING CONFIG
webvpn
anyconnect profiles value Airport_VPN type user
dynamic-access-policy-record _Dial_In_Users
priority 100
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record Local_Users
priority 97
username XXXX password XXXX encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AAA_Sinkhole
tunnel-group XX-Users type remote-access
tunnel-group XX-Users general-attributes
authentication-server-group VPN-RADIUS-XX
default-group-policy XX_Default
tunnel-group XX-Users webvpn-attributes
group-alias XX-Users disable
group-url XXXX enable
tunnel-group DT-CISCODUO type remote-access
tunnel-group DT-CISCODUO general-attributes
address-pool DTVPN_Access
authentication-server-group DUO-RADIUS
default-group-policy DT-CISCODUO
tunnel-group DT-CISCODUO webvpn-attributes
group-alias DT-DUO enable
group-alias DT-DUOTEST enable
tunnel-group Airport-Users type remote-access
tunnel-group Airport-Users general-attributes
authentication-server-group VPN-Airport-DUO
default-group-policy Airport_Default
tunnel-group Airport-Users webvpn-attributes
group-alias Airport disable
group-url XXXX enable
tunnel-group XXXX type remote-access
tunnel-group XXXX general-attributes
authentication-server-group VPN-RADIUS
default-group-policy XX_Default
tunnel-group XXXX webvpn-attributes
group-alias “XXXX” disable
group-alias XXXX disable
group-url XXXX enable
!
08-03-2024 02:47 PM
Welcome Duo
the ASA or FTD send to radius for primary authc,
when you try use anyconnect please share below debug
1- debug radius all
2-debug aaa comm 128
MHM
08-03-2024 05:38 PM
I don't get any output from debug while connected
08-03-2024 06:03 PM - edited 08-03-2024 11:54 PM
thanks
MHM
08-03-2024 06:30 PM
I am unable to ping. The DUO server can ping the ASA. I do know that the DUO server lives at a separate site behind a Palo that is handled by a different team. Is there anything I should ask them to check?
I don’t fully get what would cause the client would have internet access with the existing AAA but then move them to the DUO AAA they do not. The authentication is the only variable that is changing
08-04-2024 12:14 AM
I think you need ASA to direct connect to radius like old config was.
try use old radius server and debug radius all
see if ASA direct connect radius or it connect DUO and DUO proxy request to radius
MHM
08-03-2024 02:28 PM
more than likely your previous radius server was sending back a radius attribute for either DACL or a group policy and DUO is not doing that... you may want to look into that as now it may be giving you the default group policy which may have restricted access.
Please post your group policy config as well..
which tunnel group are you using ?
get this output to see which group policy was assigned:
show vpn-sessiondb detail anyconnect filter name <username>
08-03-2024 05:38 PM
08-03-2024 08:55 PM
The problem is very clear. the group policy for existing radius vs Duo radius is different.
Most likely because the original radius was sending the group policy value in the radius class attribute, whereas by default duo proxy (is a proxy) and does not send attributes received from the upstream radius server.
That all depends on what you are using to lookup the user from the duo auth proxy. If it uses radius to AD using NPS etc, then you can enable pass_through_all=true in your authproxy config file and it should pass the same class attribute.
this link explains that scenario.
https://finkotek.com/cisco-anyconnect-with-ise-and-duo-mfa/
if you are not using radius to authenticate the user from auth proxy to AD, then you could use LDAP authorization and attribute map:
https://docs.calebsargeant.com/en/latest/computing/cloud/duo.html
you may also be able to use the original radius server for authorization only using "authorization-server <original server>" and "authorization-required"
Good luck
**Please rate this and mark as solution/answer/helpful, if this resolved your issue or is helpful**
08-07-2024 11:22 AM
Thank you for this information. This is supposed to work just like you said with RADIUS and NPS, however it was not setup that way when I was handed the project.
I cannot believe I overlooked the group policy not being issues correctly. So I was unable to issue that command the person that configured the proxy manager configured as [ad_client] not [radius_client] before that person was let go out of no where. I am going to work on changing that with the correct client and setup NPS if it is not already and see how it goes
08-07-2024 02:36 PM
if you dont want to change to radius, then do ldap authorization as i mentioned in the 2nd link.
**Please rate this and mark as solution/answer/helpful, if this resolved your issue or is helpful**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide