i am performing Duo integration with RA VPN using MFA, however it is failing on last step to make it working. Connection towards Duo Cloud from Active directory Windows 2012 R2 that runs Duo Authentication proxy is failing. Note that AD does not have an direct connectivity and needs proxy connectivity. Proxy settings has been configured in [main] configuration section.
From debugs I see that the connectivity tool is failing on executing RestAPI call:
2019-06-21T05:46:49-0700 [_ConnectProxyClientProtocol,client] Duo preauth call failed
Traceback (most recent call last):
File “twisted\internet\defer.pyc”, line 654, in _runCallbacks
File "twisted\internet\defer.pyc", line 1475, in gotResult File "twisted\internet\defer.pyc", line 1416, in _inlineCallbacks File "twisted\python\failure.pyc", line 491, in throwExceptionIntoGenerator --- <exception caught here> --- File "duoauthproxy\lib\radius\duo_server.pyc", line 111, in preauth File "twisted\internet\defer.pyc", line 1416, in _inlineCallbacks File "twisted\python\failure.pyc", line 491, in throwExceptionIntoGenerator File "duoauthproxy\lib\duo_async.pyc", line 227, in preauth File "twisted\internet\defer.pyc", line 1416, in _inlineCallbacks File "twisted\python\failure.pyc", line 491, in throwExceptionIntoGenerator File "duoauthproxy\lib\duo_async.pyc", line 183, in call File "twisted\internet\defer.pyc", line 654, in _runCallbacks File "duoauthproxy\lib\duo_async.pyc", line 171, in err_func duoauthproxy.lib.duo_async.DuoAPIFailOpenError: API Request Failed: ConnectionDone()
If i do not define proxy settings in [main] section than the connectivity to Duo Cloud will provide failure on TCP timeout. So it’s seems that proxy settings are right now enforced, however not sure why the RestAPI query is still failing.
I have went through following connectivity checks:
- all works fine, apart from telnet and power shell connectivity checks since the windows system environment variable with defined http/https proxy settings does not seems to be enforced as i see traffic leaving the box directly to internet which will be obviously filtered.
So question is, what connectivity tool checks are being executed since when i access Duo Rest API call manually over browser, all seems to go fine via proxy as i am getting valid certificate issued by Duo.
Additionally, how can I interpret following message:
" The connectivity tool unfortunately doesn’t use the proxy parameters in the [main] section to then test the rest of the sections present in
authproxy.cfg , giving a potentially misleading result from that tool. We definitely have plans to fix this."
Source: DUO Auth proxy via http proxy fails to connect
- so does the connectivity tool properly enforce proxy settings in later connectivity verification steps? Is connectivity to Duo Cloud supported over proxy? (based on information on website it seems that it is) Are there any proxy limitations in case I am not using Duo Authentication proxy application as an proxy itself on the server and remote proxy supports CONNECT method.
May thanks for any hints.