cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
280
Views
0
Helpful
5
Replies
Highlighted
Beginner

Wireless Client Authentication through Duo

We are trying to authenticate wireless clients through Forescout to Duo then RADIUS but keep getting the Duo push.  Once we enter username/password on the device and get the Duo push it requests username/password again before we can accept the push.  When Duo is not in the mix we can authenticate to our RADIUS server correctly. I have changed advanced EAP timers and retries with no luck.  Any help is much appreciated.

 

Current signal flow is Client>AP>WLC5520>Forescout>Duo>freeRADIUS

 

Our 2.4 Ghz band (High Channel utilization) M2 could be hitting on the radio after the time on the timeout expires

*04/18/2019 15:18:24.288401] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAP_PACKET.Request : Id 0x0c Other
[*04/18/2019 15:18:24.290632] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] < wifi1> [U:W] EAP_PACKET.Response : Id 0x0c Other
[*04/18/2019 15:18:24.290665] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [U:E] EAP_PACKET.Response : Id 0x0c Other
[*04/18/2019 15:18:24.773019] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAP_PACKET.Success : Id 0x0c
[*04/18/2019 15:18:24.773060] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [D:E] EAPOL_KEY.M1 : DescType 0x02 KeyInfo 0x008a
[*04/18/2019 15:18:24.773109] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAPOL_KEY.M1 : DescType 0x02 KeyInfo 0x008a
[*04/18/2019 15:18:24.777417] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] < wifi1> [U:W] EAPOL_KEY.M2 : DescType 0x02 KeyInfo 0x010a
[*04/18/2019 15:18:24.777454] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [U:E] EAPOL_KEY.M2 : DescType 0x02 KeyInfo 0x010a
[*04/18/2019 15:18:29.777473] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [U:W] DOT11_DEAUTHENTICATION : (.)

After enabling the TEST SSID on 5Ghz band we get a different error and an “Access Reject” on Forescout

*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Not sending the radius request as it is disabled for the WLAN.
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Error Response code for AAA Authentication : -7
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx [Error] Client requested no retries for mobile xx:xx:xx:xx:xx:xx
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Returning AAA Error 'No Server' (-7) for mobile xx:xx:xx:xx:xx:xx serverIdx 0
*aaaQueueReader: Apr 18 10:58:29.934: RadiusIndexSet(0), Index(0)
*aaaQueueReader: Apr 18 10:58:29.934: structureSize................................136

*aaaQueueReader: Apr 18 10:58:29.934: protocolUsed.................................0xffffffff

*aaaQueueReader: Apr 18 10:58:29.934: proxyState...................................xx:xx:xx:xx:xx:xx-14:00

*aaaQueueReader: Apr 18 10:58:29.934: Packet contains 0 AVPs:

*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Processing AAA Error 'No Server' (-7) for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Global PMK Cache deletion failed.
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Succesfully freed AID 1, slot 1 on AP 78:72:5d:fc:5e:e0, #client on this slot 0
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Sent Deauthenticate to mobile on BSSID 78:72:5d:fc:5e:ed slot 1(caller 1x_auth_pae.c:1985)
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*aaaQueueReader: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Doing AAA Cleanup for mobile (in AAA: 52)f3:9a:a4:bd:c6:00
*apfOpenDtlSocket: Apr 18 10:58:30.043: xx:xx:xx:xx:xx:xx Received management frame REASSOCIATION REQUEST on BSSID 78:72:5d:fc:5e:ed destination addr 78:72:5d:fc:5e:ed

5 REPLIES 5
VIP Advisor

Re: Wireless Client Authentication through Duo

I haven't got the answer.

 

I always thought that using MFA with 802.1x WiFi would be problematic.  For example, I would expect the user would need to re-authenticate everytime they roamed between APs.  And if you have someone in a fringe area dropping off and on they would need to keep authenticating.

 

I'll be watching your thread to see how it goes.

Hall of Fame Master

Re: Wireless Client Authentication through Duo

I agree with Phillip.  You have too many various auth and I can see where something might not pass from one type of auth to another.  You should work with DUO support and see what they have to say. 

-Scott
*** Please rate helpful posts ***
Beginner

Re: Wireless Client Authentication through Duo

Duo is configured with Cisco's recommended settings.  Now that they own Duo it is supposed to integrate a little more seamlessly.

Hall of Fame Master

Re: Wireless Client Authentication through Duo

You should open a TAC case and verify it works with your setup. 
-Scott
*** Please rate helpful posts ***
Beginner

Re: Wireless Client Authentication through Duo

After some pcaps we noticed the second MIC was failing.  Removed Duo and started using a different cert based authentication and everything came up.  

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards