cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3560
Views
0
Helpful
1
Replies

Duo Radius Proxy for Meraki Client VPN

Wendel99
Beginner
Beginner

So, I’ve been trying to get this working for a bit. Here and having some issues.
I’ve thoroughly confused myself. It seems that the easiest way to set this up is to use
[ad_client] and [radius_server_auto]
I’ve pointed my meraki client vpn to the ip address of the duo proxy and my configuration is as follows

[ad_client]
host=192.168.2.10(IP of our only AD server)
service_account_username=duuser
service_account_password=password
search_dn=cn=Users,dc=cps,dc=local
[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxx
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=192.168.2.1(IP of our meraki)
radius_secret_1=supersekret
client=ad_client
port=1812
failmode=safe

Unfortunately I’m not able to login… I get the following in my logs…

2018-03-17T16:27:26-0400 [-] Duo Security Authentication Proxy 2.7.0 - Init Complete
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Packet dump - received from 192.168.2.1:
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] "\x01c\x00Og\xfeJ[8\xc1'\xcf\xc0\x01\x89\x0f\xdc\x14\\U\x06\x06\x00\x00\x00\x02\x07\x06\x00\x00\x00\x01\x01\x06mark\x02\x12\xdaB5\xe1\x97 \xfc\x0f\x07W\xbb&\x9fM`>\x1f\x0bCLIENTVPN\x04\x06\x06\xe2[P\x05\x06\x00\x00\x00\x01"
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Sending request from 192.168.2.1 to radius_server_auto
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Received new request id 99 from ('192.168.2.1', 57851)
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] (('192.168.2.1', 57851), 99): login attempt for username u'mark'
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Sending AD authentication request for 'mark' to '192.168.2.10'
2018-03-17T16:27:35-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033514D0>
2018-03-17T16:27:35-0400 [Uninitialized] C->S LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn='<ROOT>', auth='*****', sasl=True))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=1L, value=LDAPBindResponse(resultCode=14L, serverSaslCreds=LDAPBindResponse_serverSaslCreds(value='NTLMSSP\x00\x02\x00\x00\x00\x06\x00\x06\x008\x00\x00\x00\x05\x82\x89\x02K[OZ\xbf\x93\xfa\x9b\x00\x00\x00\x00\x00\x00\x00\x00~\x00~\x00>\x00\x00\x00\n\x0098\x00\x00\x00\x0fC\x00P\x00S\x00\x02\x00\x06\x00C\x00P\x00S\x00\x01\x00\x0e\x00C\x00P\x00S\x00D\x00A\x00T\x00A\x00\x04\x00\x12\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x03\x00"\x00C\x00P\x00S\x00D\x00a\x00t\x00a\x00.\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x05\x00\x12\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x07\x00\x08\x00\x19K\xdab.\xbe\xd3\x01\x00\x00\x00\x00')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=2, value=LDAPBindRequest(version=3, dn='<ROOT>', auth='*****', sasl=True))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=2L, value=LDAPBindResponse(resultCode=0L, serverSaslCreds=LDAPBindResponse_serverSaslCreds(value='')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=3, value=LDAPSearchRequest(baseObject='cn=Users,dc=cps,dc=local', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='sAMAccountName'), assertionValue=LDAPAssertionValue(value=u'mark'))]), attributes=('sAMAccountName', 'msDS-PrincipalName')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=3L, value=LDAPSearchResultDone(resultCode=0L))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=4, value=LDAPUnbindRequest())
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Primary credentials rejected - Invalid User
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Returning response code 3: AccessReject
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Sending response
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] Packet dump - sent to 192.168.2.1:
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] '\x03c\x00"\x14\'\xfb\x1c\xa5\xec\xc6R\xdd\xc3\x9eN\x98\x19\xc1\x12\x12\x0eInvalid User'
2018-03-17T16:27:36-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033514D0>

Thanks in advance.

Mark

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

Hi there Mark!

Your log shows that after the initial LDAP bind to your domain controller, the Duo server issues a search for a user/person, inetOrgPerson, or organizationalPerson (those are all LDAP object classes and categories) with the sAMAccountName or MsDS-PrincipalName (which is domain\user) = mark, in the cn=Users,dc=cps,dc=local container. The search returns no results.

There are a few possible reasons for this:

  1. “mark” is not the sAMAccountName.
  2. “mark” is not in the Users container, but is in a different OU (set the base DN to dc=cps,dc=local)
  3. Mark is not a user/person LDAP object.

Can you check the LDAP attributes of the “mark” user?

Duo, not DUO.

View solution in original post

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

Hi there Mark!

Your log shows that after the initial LDAP bind to your domain controller, the Duo server issues a search for a user/person, inetOrgPerson, or organizationalPerson (those are all LDAP object classes and categories) with the sAMAccountName or MsDS-PrincipalName (which is domain\user) = mark, in the cn=Users,dc=cps,dc=local container. The search returns no results.

There are a few possible reasons for this:

  1. “mark” is not the sAMAccountName.
  2. “mark” is not in the Users container, but is in a different OU (set the base DN to dc=cps,dc=local)
  3. Mark is not a user/person LDAP object.

Can you check the LDAP attributes of the “mark” user?

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links