Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
1
Helpful
3
Replies

Citrix Native VPN Plugin allows login even when Duo push is declined

Go to solution
retiefz
Level 1
Level 1

‎06-24-2021 12:37 AM

We have an SSL Gateway VPN configured and users connect via the native vpn plugin. The duo radius policy is configured to point to [radius_server_auto] as iframes aren’t support.

When a user logs in with their AD creds we are successfully receiving the Duo push notification to allow or reject. When we reject the login, the vpn connection successfully establishes the connection.

When we use an iframe policy, the web login works and performs as expected but via the native plugin the user can enter and random number and the connection completes successfully as well.

We are running the latest firmware build - NS13.0 82.41.nc and the latest Duo proxy client.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
retiefz
Level 1
Level 1

‎06-25-2021 12:41 AM

I’ve managed to get it working. I looks like it an issue when you have your LDAP and radius policies bound to the Gateway. I unbound the LDAP policy so that only the Radius policy is bound and then configured LDAP auth under the Gateway global settings.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎06-24-2021 06:57 AM

This is a Citrix NetScaler/Access Gateway? Do you still have an ns_true expression in place that might be getting applied after the Duo RADIUS policies fail?

You can use aaad.debug output to watch an authentication on the Citrix gateway and see exactly what policies are getting applied to the logon.

If that doesn’t help I’d suggest contacting Duo Support. A support engineer can review your authentication policies and bindings with you.

Duo, not DUO.
0 Helpful

Go to solution
retiefz
Level 1
Level 1

‎06-25-2021 12:30 AM

Thanks. Yes this is a Netscaler Gateway. I have 2 policies, Radius & LDAP. Both configured with a priority of 100 and both set to ns_true. From the the debug logs i can see that the radius process completes successfully, followed by the ldap policy which is where the issue comes in:
process_radius 0-253: RADIUS auth: Authentication failed for user test001 from server ... - Invalid Credentials
start_ldap_auth 0-253: Starting LDAP auth

In my mind this should not be the case as they have the same priority? I’ve logged a support call but im yet to receive a response 3 days later

0 Helpful

Go to solution
retiefz
Level 1
Level 1

‎06-25-2021 12:41 AM

I’ve managed to get it working. I looks like it an issue when you have your LDAP and radius policies bound to the Gateway. I unbound the LDAP policy so that only the Radius policy is bound and then configured LDAP auth under the Gateway global settings.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents