BERDecoderContext has no tag 0x16


#1

I’m getting this error while trying to authentication to my Duo Auth LDAP Proxy. tcpdump on my firewall shows there is no communication happening with api-xxxxx-duosecurity dot com. Is this an error message due to the same problem as https://help.duo.com/s/article/4292 ?

2019-03-08T15:19:18-0600 [-] Duo Security Authentication Proxy 2.14.0 - Init Complete
2019-03-08T15:19:24-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f0cdf0d0390>
2019-03-08T15:19:24-0600 [stdout#info] BERDecoderContext has no tag 0x16: <L■■■■_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<L■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■ence} fallback=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>
2019-03-08T15:19:24-0600 [Uninitialized] Connection made between client: 192.168.1.3:33188 and the server section listening via 192.168.1.39:389.
2019-03-08T15:19:24-0600 [-] C->S LDAPMessage(id=1, value=LDAPStartTLSRequest())
2019-03-08T15:19:24-0600 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=1L, value=LDAPExtendedResponse(resultCode=0L))

#2

Different LDAP tag, but same root cause. The tag is not supported by the Duo proxy.


#3

Thanks for the info but it does kinda block our rollout. Would it be helpful to offer some debug info from our appliance/proxy to help troubleshoot or remedy the unsupported tag? We really like what we’ve seen of Duo so far.


#4

No, we know what the tag is, and it’s not supported today. You could consult with your application vendor to see if there are configurable options for authentication that maybe don’t rely IA5. You could also reach out to your Duo AE or SE (if one is helping you with your rollout) ot to Duo Support to submit a feature request for additional tag support.


#5

Will do, thanks for the info.