Duo Proxy not passing Radius attributes

JasonP3 · ‎05-01-2018

I am using Duo Proxy with Radius authentication to authenticate SSH logins for Cisco routers. The secondary authenticator is radius; Microsoft’s NPS

I have specified ‘pass_through_all’ in the radius server settings in the config but no attributes are being passed to NPS. The NPS logs show NAS-IP-Address and Client-IP-Address as the proxy’s IP, not the IP of the original requester.

I know the router sends the required information because it is present in the NPS logs when I authenticate directly.

This is stopping me from using DUO Proxy for some services as I need different NPS settings for different clients but I can’t differentiate the clients as they all appear to come from the same source.

petergo · ‎06-20-2019

I also meet same issue, here is my way
use hostname as nas identifier in NPS policy
so you can use nas identifier match different policy

JasonP3 · ‎07-09-2019

Unfortunately our equipment doesn’t return a hostname or any other useful unique identifier.

I opened a support case with DUO. There is now a solution for this issue but it is currently not documented while it undergoes further evaluation. As such, I don’t think it is fair to give it here but I’m sure if you open a case then their support will give you the details.

samuraizero1 · ‎07-12-2019

Same kind of issue here for HP Procurve.

Duo support hasn’t been able to figure it out. I guess it’s not truly an enterprise product.

JasonP3 · ‎07-19-2019

I’ve had a request to share the ‘fix’ and having given it further consideration I can’t see why it would cause any issues. Please bear in mind this has not been fully tested by DUO yet but worked for me.

Add the below under the [radius_server] section in your authproxy.cfg:

client_ip_attr=NAS-IP-Address

This adds a Client IP (the same as the original source IP) and you can then use that in your Radius rules.

If you don’t want this to apply to all your equipment (some may already be using Client IP) then create a new [radius_server_x] section for each authentication source IP range you want to treat differently

samuraizero1 · ‎07-19-2019

Hey Jason

Can you show how this is used in Radius please?
Is this done on your request in from Duo Auth proxy?

JasonP3 · ‎07-20-2019

I’m not sure I quite understand what you mean by your question samuraizero but I will have a go at an answer.

When you install Duo Proxy you have to configure an authproxy.cfg to tell Duo Proxy its settings. The client_ip_attr=NAS-IP-Address goes in there in the [radius_server] section.

What this does is make Duo Proxy create a Client IP to pass to whatever Radius server you are using. The Client IP will have the IP of the device you want to authenticate, e.g. your switch. 192.168.1.10

On your Radius server you setup your rules for different devices but you need a way to identify which device the rule applies to. With this setting, you can test the Client IP to identify the device.

For example, If Client IP = 192,168.1.10, then this is my switch so I apply these authentication rules (that I want to apply to my switch).

mkorovesisduo · ‎07-22-2019

Hi JasonP and samuraizero! We appreciate your participation in the Duo Community. The configuration you are discussing is unsupported. Please feel free to continue your discussion in private but, in order to protect our customers from utilizing unsupported configs, we have decided to mark this thread as unlisted.