cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1458
Views
0
Helpful
5
Replies

BERDecoderContext has no tag 0x16

dee3
Level 1
Level 1

I’m getting this error while trying to authentication to my Duo Auth LDAP Proxy. tcpdump on my firewall shows there is no communication happening with api-xxxxx-duosecurity dot com. Is this an error message due to the same problem as https://help.duo.com/s/article/4292 ?

2019-03-08T15:19:18-0600 [-] Duo Security Authentication Proxy 2.14.0 - Init Complete
2019-03-08T15:19:24-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f0cdf0d0390>
2019-03-08T15:19:24-0600 [stdout#info] BERDecoderContext has no tag 0x16: <L■■■■_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<L■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■ence} fallback=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>
2019-03-08T15:19:24-0600 [Uninitialized] Connection made between client: 192.168.1.3:33188 and the server section listening via 192.168.1.39:389.
2019-03-08T15:19:24-0600 [-] C->S LDAPMessage(id=1, value=LDAPStartTLSRequest())
2019-03-08T15:19:24-0600 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=1L, value=LDAPExtendedResponse(resultCode=0L))
5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

Different LDAP tag, but same root cause. The tag is not supported by the Duo proxy.

Duo, not DUO.

dee3
Level 1
Level 1

Thanks for the info but it does kinda block our rollout. Would it be helpful to offer some debug info from our appliance/proxy to help troubleshoot or remedy the unsupported tag? We really like what we’ve seen of Duo so far.

No, we know what the tag is, and it’s not supported today. You could consult with your application vendor to see if there are configurable options for authentication that maybe don’t rely IA5. You could also reach out to your Duo AE or SE (if one is helping you with your rollout) ot to Duo Support to submit a feature request for additional tag support.

Duo, not DUO.

Will do, thanks for the info.

Tom_Ingold
Level 1
Level 1

For anybody that runs across this – I got this error but was a red herring. Turns out it can happen with a LDAPS connection to a LDAP (no S proxy instance).

I was halfway into implementing it in the twisted/ldaptor library before I realized it…

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links