Duo and Cisco VPN not authenticating

We have set up the Duo Proxy server, and set up authentication from Cisco VPN ASA, when we test authentication to the Duo Proxy from the VPN profile we get error “authentication rejected: AAA Failure”
Looking at the log file the Duo Proxy server we see this error “There was a problem running the connectivity tool: Attempted to get the client for a non-server section”

I can only assume the Proxy config is incorrect in some way, but not sure?

Has anyone seen this?

It’s hard to say what is wrong without knowing what’s in your config file.

  • Does it match the completed config example shown in [the documentation](Two-Factor Authentication for Cisco ASA SSL VPNs | Duo Security (where you have some client section configured for primary authentication, and a server section for your ASA that uses the client section (either because you explicitly specified it with the client= option or because there is only one client section so it is used by default)?
  • Have you tried debug logging for the failed authentication test?

Yes the config matches per the set up doc.

On the ASA VPN I can run a test to check the configuration there and keep getting the same error “authentication rejected: AAA Failure”

I do have debug turned on and after all the checks of the config is says this:
“There are no configuration problems”

So now I’m totally confused…

Sorry to hear that.

The output of the connectivity log is not the same thing as the Authentication Proxy’s own debug log. I suggest you enable debug logging on your Duo Authentication Proxy, test the auth from the ASA, and then open the authproxy.log file on the proxy server to see what output was captured for the incoming request from the ASA and the subsequent response during that authentication test.

If you don’t see any authentication activity in the Duo proxy’s authproxy.log, then there is likely an issue preventing communications between the Duo proxy and your ASA, and you should examine the network config , firewall, routing, etc.

If there is no authproxy.log file, then most likely the Duo Authentication Proxy service could not be started. Verify whether the service is started. If it isn’t, try to start it manually. If it will not start and stay running, here are some suggestions.

Keep in mind this forum isn’t a substitute for Duo Support, so if you are still stuck consider contacting them to receive 1:1 troubleshooting assistance.