Connection to Barracuda NG firewalls?


#1

I found two flavors of documentation for connecting the Barracuda SSL VPN appliance via Radius, but nothing for the NG (Next Gen) firwall series.

I think I got it all right, but the fact it’s not working is a hint otherwise.

Is there any DIY documentation relating to this?


#2

Greetings AmishBill!

The Barracuda SSL VPN instructions on our site are specifically for the “Barracuda SSL VPN & Remote Access” product line. You should be able to get it working with the NG if you stop trying to use the [radius_server_iframe] configuration in the SSL VPN doc, and switch to [radius_server_auto], our automatic authentication experience.

You can see a generic RADIUS setup using [radius_server_auto] in our generic RADIUS instructions.

I suspect that you may only need to change two lines in your authproxy.cfg file for it to work.

  1. Change [radius_server_iframe] to [radius_server_auto].
  2. Remove the type=barracuda line.

Then save the file, cycle the Authentication Proxy service, and try authenticating to your Barracuda NG again. You should receive an automatic push request on the phone or other device where you activated the Duo Mobile app.

ETA I found these instructions for RADIUS auth with the NG Firewall. If this matches your NG setup, note that…

  • Duo does not require NAS credentials
  • Duo does not require the RADIUS ‘State’ attribute
  • Duo will not pass through group information via the Authentication Proxy if you are using Active Directory as the Authentication Proxy’s primary authenticator ([ad_client]). It can pass through a group attribute received from another RADIUS server ([radius_client]). Are you chaining authenticators (meaning, the NG performs primary authentication against a different source and only continues to Duo via RADIUS after that succeeds)?

Hope that helps!


#3

Thanks for the info.
I already have the [radius_server_auto] entry, and tried a fresh config with the generic Radius application type.

Maybe it would help to start with what I’m trying to end up with.
I want to enter a domain ID as my VPN user, the domain password followed by a code from the Duo phone app, and be authenticated into my Barracuda NG Firewall’s Client-site VPN system. I am open to the Push version too, but at the moment, I’m mainly after the simplest answer that gives me 2FA/mfa.

I have the Duo proxy installed on a 2012r2 VM in my environment. I have the Duo proxy service and an explicit port 1812 fixed) UDP inbound allow on the local firewall. They can ping each other. As a diagnostic step I disabled the VM fireewall.

From the Duo side, what is the best path to making this configuration work?
Do I need to worry about [radius_server_concat] ?
Does [main] at the top of the .cfg need to be un-commented?


#4

More notes.
The VPN login works fine with AD or local IDs for its auth. It fails with Radius.

I"m not seeing any authentication attempts on the Duo Authentication log.

Telnet from the F300 times out when trying to connect to the 2012r2 VM on port 1812

The VM has the Duo proxy started, and its firewall has explicit incoming allows for the proxy and for TCP 1812.

I just found and enabled firewall loggiing on the 2012r2 VM that hosts the Duo proxy.

After 9XXdisabling the firewallXX) allowing all incoming, I see allowed UDP traffic from the F300 to the Duo VM from port 12349 to 1812. I changed the firewall rule to allow incoming 1812 UDP.

After that I see TCP traffic from the Duo VM to my domain controllers, from 64050 (incrementing) to 389

I have no replies from the domain controller. Thoughts on why this part of the auth is being blocked?

The Duo box is configured with a service account. That account only has domain user membership - that should be enough to authenticate, shouldn’t it?

Edit – Added
OK - tracked it back to a domain controller. The event log shows an Unknown user name or bad password. The user name of the Duo service account is being passed correctly, but the domain is being passed as “M” instead of MyDomain.


#5

OK - more updates. A few good 'you did what? moments here…

– It helps a lot if you can keep track of internal naming conventions (serv-acct) and not subconciously translate them into unix underscore format while you’re following instructions and modifying examples.

– no single part of the puzzle can provide enough information to solve the whole thing. Domain Controller firewall logs can show you if you’re getting Radius traffic, the authproxy log can tell you that you’re loosing it as soon as you try to connect to AD, Domain Event Viewer can tell you what ID is not connecting. The Duo application authentication log can tell you if requests are making it out of your network.

– Activating the app on your iphone is not as simple as it could be if you have an old install already on it, are in a hurry, and don’t notice that you’ve never actually managed to get your phone tied in properly.

And one non-technical side note - At least on first glance, the push feature on the IOS app is a little awkward. I lost the window I needed to approve the connection several times and only found it by accident.
ps - where is the right place to make an app change suggestion?


#6

So it sounds like you got to a working configuration? That’s great!

Our mobile team reads reviews left on the Duo Mobile app in the App Store. You can leave feedback there and be assured someone will see it.

You can also contact Duo Support to submit a formal Feature Request. These are tied to your customer account so you could be notified in the future.

Thanks again for using Duo!


#7

One final note to leave on this topic… As recently as the Barracuda NetworkAccessClient 4.1, there are two small changes required to keep the client from locking a user’s Duo account.

In the / each VPN connection profile, highlight it, click Modify.
Click on the Advanced Settings tab,
then locate the entries for One Time Password and Fast Reconnect.
Set One Time Password to Yes,
and Fast Reconnect to No.