A RADIUS message with the Code field set to 12

#1

Hi,

I’m trying to achieve that I’m able to use Duo in combination with Fortigate SSLVPN.
I’ve configured duoauthproxy.cfg with Radius Client, Server & cloud:

[cloud]
ikey=■■■■
■■■■
api_host=aaaaa
service_account_username=aaaa
service_account_password=aaaaa

[radius_server_auto]
ikey=integrationkeylikeondashboard
skey=sameasondashboard
api_host=■■■■
failmode=safe
radius_ip_1=192.168.60.254
radius_secret_1=secretbetween■■■■e
client=radius_client
api_timeout=0
port=1812
pass_through_all=true

[radius_client]
host=192.168.60.12
secret=radiussecret
port=1812
nas_ip=192.168.60.6
pass_through_all=true

[main]
debug=true
test_connectivity_on_startup=true

As soon as I’m trying to restart duoauthproxy, NPS complains about the fact that there’s "A Radius Message with the Code field set to 12, which is not valid, …
Also on some occasions the logs of duoauthproxy shows that there’s config issues with the keys, …
The next time I reboot the service all is ok?

2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] Testing section ‘cloud’ with configuration:
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] {‘api_host’: ‘■■■■’,
‘debug’: ‘True’,
‘ikey’: ‘■■■■’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘aaa’,
‘skey’: '
[40]’}
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] There are no configuration problems
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] -----------------------------
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] Testing section ‘radius_server_auto’ with configuration:
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] {‘api_host’: ‘■■■■’,
‘api_timeout’: ‘0’,
‘client’: ‘radius_client’,
‘debug’: ‘True’,
‘failmode’: ‘safe’,
‘ikey’: ‘■■■■’,
‘port’: ‘1812’,
‘radius_ip_1’: ‘192.168.60.254’,
‘radius_secret_1’: ‘’,
‘skey’: '
[40]’}
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] There are no configuration problems
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] -----------------------------
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] Testing section ‘radius_client’ with configuration:
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] {‘debug’: ‘True’,
‘host’: ‘192.168.60.12’,
‘nas_ip’: ‘192.168.60.6’,
‘port’: ‘1812’,
‘secret’: ‘*****’}
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] There are no configuration problems
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] -----------------------------
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] Testing section ‘main’ with configuration:
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] {‘debug’: ‘True’, ‘test_connectivity_on_startup’: ‘true’}
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] There are no configuration problems
2019-05-07T14:45:54+0200 [duoauthproxy.lib.log#info] -----------------------------

I’m out of options about what I’m doing wrong.
If I’m using A.D. client instead of radius client, I’m able to get a push message to log on.

Regards;
Gerrit

#2

Did you install the Duo Authentication Proxy on the same server as NPS? This is the only scenario I can think of where NPS would have any awareness at all of the Duo service starting, and that is likely because both NPS and the Duo Authentication Proxy are both trying to use port 1812, based on the config you pasted above (radius_client sending outgoing requests to 192.168.60.12 on port 1812 while radius_server_auto is listening on 1812).

Did the Duo troubleshooting tool also perform connectivity tests?

If you want both NPS and the Duo Authentication Proxy on the same server then you need to update the configuration for one of them to not listen on port 1812.

If you are not actually running both on the same server then I suggest you contact Duo Support to open a case. The Duo support engineer can help you examine debug output to determine the issue.