Hi ddobbins,
If the proxy logs say RADIUS: AccessAccept was sent for that authentication, you then know that the authentication has succeeded including 2FA and this information was transmitted to the switch.
It therefore follows that either the switch did not get this information, which is unlikely as it works for CLI.
Or, that the switch is rejecting the authentication regardless of the AccessAccept RADIUS response, which is likely your issue.
Only the Switch Authentication logs would tell you why the authentication was rejected even though it succeeded.
I will note that i have seen this before, and usually the switch will require some Vendor Specific RADIUS attribute to be sent in order to actually authenticate you.
You will likely need to review your Switch RADIUS docs to see what attributes are required to be sent to set permissions or define some access group.
The Duo Auth Proxy is a proxy, the vendor specific RADIUS attributes themselves will need to be passed to the proxy by your primary authentication RADIUS server.
Meaning you will need to add the RADIUS attributes to NPS so the proxy can pass them through.
The proxy can be configured in the proxy to pass all parameters.
This will be required for both the RADIUS_server_auto section as well as the radius_client section.
You can find the optional parameters for both in the documentations below:
Your final configuration should look something like the below, with the optional parameters in bold.
[radius_client]
host=1.2.3.4
secret=radiusclientsecret
pass_through_all=true
[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=radius_client
port=1812
failmode=safe
pass_through_all=true
Please see the article below for further details on configuring the proxy as a client of NPS which can be used to set Vendor Specific RADIUS attributes:
https://help.duo.com/s/article/4785