Duo AuthProxy as RADIUS Server and Vendor Specifics

Setting up Duo for my switches and am running into an issue when using the DuoAuthProxy as my RADIUS server. I have the LDAP Proxy pulling one AD group of users into Duo, then the RADIUS allows only those group members.

My Cisco switches (5548) work ok, I get the push and I get logged in. The issue is I am logged in at “Level 1” and have no command set. i want to be logged in at “Level 15” so I am a full admin. This seems to require the use of vendor-specific return codes but I cannot find where these are or are not supported within Duo itself.

If I need to do this does it require I set up an separate NPS server? I don’t use NPS right now, the wireless goes to the Internet and no-where else, and the rest of my environment is very simple (small company so not the most involved environment…)

Thanks in advance,


It’s not possible to define VSAs on the Duo Authentication Proxy itself, but it can pass through VSAs received from an upstream RADIUS server (like NPS) back to the device that initiated the access-request. This would require configuring the Duo proxy to use a radius_client instead of an ad_client.