cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
251
Views
0
Helpful
5
Replies
Beginner

Wireless Client Authentication through Duo

We are trying to authenticate wireless clients through Forescout to Duo then RADIUS but keep getting the Duo push.  Once we enter username/password on the device and get the Duo push it requests username/password again before we can accept the push.  When Duo is not in the mix we can authenticate to our RADIUS server correctly. I have changed advanced EAP timers and retries with no luck.  Any help is much appreciated.

 

Current signal flow is Client>AP>WLC5520>Forescout>Duo>freeRADIUS

 

Our 2.4 Ghz band (High Channel utilization) M2 could be hitting on the radio after the time on the timeout expires

*04/18/2019 15:18:24.288401] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAP_PACKET.Request : Id 0x0c Other
[*04/18/2019 15:18:24.290632] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] < wifi1> [U:W] EAP_PACKET.Response : Id 0x0c Other
[*04/18/2019 15:18:24.290665] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [U:E] EAP_PACKET.Response : Id 0x0c Other
[*04/18/2019 15:18:24.773019] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAP_PACKET.Success : Id 0x0c
[*04/18/2019 15:18:24.773060] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [D:E] EAPOL_KEY.M1 : DescType 0x02 KeyInfo 0x008a
[*04/18/2019 15:18:24.773109] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [D:W] EAPOL_KEY.M1 : DescType 0x02 KeyInfo 0x008a
[*04/18/2019 15:18:24.777417] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] < wifi1> [U:W] EAPOL_KEY.M2 : DescType 0x02 KeyInfo 0x010a
[*04/18/2019 15:18:24.777454] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <wired0> [U:E] EAPOL_KEY.M2 : DescType 0x02 KeyInfo 0x010a
[*04/18/2019 15:18:29.777473] [AP7872.5DFB.93F2] [xx:xx:xx:xx:xx:xx] <apr1v0> [U:W] DOT11_DEAUTHENTICATION : (.)

After enabling the TEST SSID on 5Ghz band we get a different error and an “Access Reject” on Forescout

*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Not sending the radius request as it is disabled for the WLAN.
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Error Response code for AAA Authentication : -7
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx [Error] Client requested no retries for mobile xx:xx:xx:xx:xx:xx
*aaaQueueReader: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Returning AAA Error 'No Server' (-7) for mobile xx:xx:xx:xx:xx:xx serverIdx 0
*aaaQueueReader: Apr 18 10:58:29.934: RadiusIndexSet(0), Index(0)
*aaaQueueReader: Apr 18 10:58:29.934: structureSize................................136

*aaaQueueReader: Apr 18 10:58:29.934: protocolUsed.................................0xffffffff

*aaaQueueReader: Apr 18 10:58:29.934: proxyState...................................xx:xx:xx:xx:xx:xx-14:00

*aaaQueueReader: Apr 18 10:58:29.934: Packet contains 0 AVPs:

*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Processing AAA Error 'No Server' (-7) for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Global PMK Cache deletion failed.
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.934: xx:xx:xx:xx:xx:xx Succesfully freed AID 1, slot 1 on AP 78:72:5d:fc:5e:e0, #client on this slot 0
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Sent Deauthenticate to mobile on BSSID 78:72:5d:fc:5e:ed slot 1(caller 1x_auth_pae.c:1985)
*Dot1x_NW_MsgTask_6: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*aaaQueueReader: Apr 18 10:58:29.935: xx:xx:xx:xx:xx:xx Doing AAA Cleanup for mobile (in AAA: 52)f3:9a:a4:bd:c6:00
*apfOpenDtlSocket: Apr 18 10:58:30.043: xx:xx:xx:xx:xx:xx Received management frame REASSOCIATION REQUEST on BSSID 78:72:5d:fc:5e:ed destination addr 78:72:5d:fc:5e:ed

5 REPLIES 5
VIP Advisor

Re: Wireless Client Authentication through Duo

I haven't got the answer.

 

I always thought that using MFA with 802.1x WiFi would be problematic.  For example, I would expect the user would need to re-authenticate everytime they roamed between APs.  And if you have someone in a fringe area dropping off and on they would need to keep authenticating.

 

I'll be watching your thread to see how it goes.

Hall of Fame Master

Re: Wireless Client Authentication through Duo

I agree with Phillip.  You have too many various auth and I can see where something might not pass from one type of auth to another.  You should work with DUO support and see what they have to say. 

-Scott
*** Please rate helpful posts ***
Beginner

Re: Wireless Client Authentication through Duo

Duo is configured with Cisco's recommended settings.  Now that they own Duo it is supposed to integrate a little more seamlessly.

Hall of Fame Master

Re: Wireless Client Authentication through Duo

You should open a TAC case and verify it works with your setup. 
-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

Re: Wireless Client Authentication through Duo

After some pcaps we noticed the second MIC was failing.  Removed Duo and started using a different cert based authentication and everything came up.  

CreatePlease to create content
Content for Community-Ad
June's Community Spotlight Awards