cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19077
Views
1
Helpful
16
Replies

DUO Proxy: Radius doesn't seem to answer

PowerValve
Level 1
Level 1

Hi all

I am trying to setup a duo proxy to add 2fa to our rras server.

So I installed the duo proxy on a fresh 2016 server, configured the conf file and setup AD sync. It synced a newley created group just fine. I also enrolled my user.

On the RRAS Server I switched to RADIUS Authentification, added the IP address and the shared secret of the Duo Server.

When I try to connect to the vpn it prompts for username/password. I tried “domain\user” and “password,push”, but no matter what I do, i am just getting a timeout.

So I opened a netstat -a on the Duo server to search for incoming connections, but there is nothing.
I tried a telnet to port 1812 on the Duo server but no answer.

Any ideas? Thanks in advance!

Cheers
Uwe

here is my config (I XXXXX’ed some parts…)
_
[cloud]
ikey=DI----------------DO
skey=12e1fv-------------------------z4ToiE
api_host=■■■■

[ad_client]
; The hostname or IP address of your domain controller
host=10.1.111.5
host_2=10.1.111.4
host_3=10.1.111.1
service_account_username=svc2fa
service_account_password=xxxxxxxxxx
search_dn=DC=xxxxxxxxx,DC=local

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxxx
■■■■
api_host=■■■■
radius_ip_1=10.0.1.15
radius_secret_1=DuoSecurityIsTheKey
failmode=safe
client=ad_client
port=1812

1 Accepted Solution

Accepted Solutions

PowerValve
Level 1
Level 1

Hi all

I installed another server with 2008R2 with DUO just to be save and copied the conf file. Then edited the Radius IP on the RRAS Server.

I still have the same issue. Connection times out. No response from radius. Anything I can use to troubleshoot?

Cheers
Uwe

Edit: I found it: I used nRadius to troubleshoot the connection to the Radius. Error message was “connection refused”. That made me look into the config file again. Figured that the netmask of the Radius Clients IP range didn’t match the IP Address of the RRAS Server…

Now it’s working.

Thanks for all the help!
Uwe

View solution in original post

16 Replies 16

gnyce
Level 1
Level 1

Can’t telnet to it, it is UDP port 1812. Make sure that is allowed thru the Windows firewall… (Or disable just for testing)

DuoKristina
Cisco Employee
Cisco Employee

Hi @PowerValve!

Duo Authentication Proxy 2.9.0 includes a connectivity tool that can help you troubleshoot this - authproxy_connectivity_tool.exe. You can run this from a Windows command prompt to test whether the server is listening on the specified RADIUS port.

Here are detailed instructions for running the connectivity tool.

If you are running a firewall on the proxy server be sure you’ve permitted connections on UDP 1812.

Duo, not DUO.

PowerValve
Level 1
Level 1

Thanks for the quick reply.

Duo thinks the time is off. But it is in sync with the DC. Weird. (The time stamps in the logfile are our current local time…)

Any thoughts?

2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#warn] The RADIUS Server has connectivity problems.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy was able to ping Duo at ■■■■ with a latency of 695.9398 milliseconds.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#error] The time drift between the Auth Proxy host and Duo is excessively high, at 1529480225.25 seconds. This could interfere with user authorizations. Ensure the Auth Proxy host’s time is correct, for instance by enabling NTP.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy was able to validate the provided API credentials.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy will be able to accept connections on port 1812 on all interfaces
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] -----------------------------

Please ignore that erroneous time drift message. We’re aware of this bug with the tool. I should have mentioned that!

More relevant is the output that says it should be able to accept connections on 1812. You might want to try a packet capture to see what’s happening.

Duo, not DUO.

PowerValve
Level 1
Level 1

thanks, I will… Now i ran into a message saying that the connection cannot complete because “the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server”

So I need to dig into that policy stuff first to make PAP “legal”… Any hint would be appreciated…

I’ll be back.

Cheers
Uwe

Make sure that both RRAS to the Duo proxy and the Windows client to RRAS connections are using PAP (the client should also be using SSTP or L2TP for encryption).

Duo, not DUO.

that Server was a backup L2TP Server before. I just changed from chapv2 to pap on both the client and the server and got that message.

Now I try to find the policy in the NPS console that doesn’t allow PAP

PowerValve
Level 1
Level 1

Took it step by step, rolled back to my working L2TP/Windows Auth setup and changed to PAP first. The same error showed up.

Finally I found it. Might make sense to include that part in the RRAS Duo how-to.
On old 2003 Servers there was no network policy.

The PAP Authentification Methode doesn’t work on a freshly installed Windows RRAS Server even if you enable it in RRAS Manager/Authentication Methodes. It needs to be enabled by creating a new policy in NPS:

That means, if you need to use PAP as Authentication Method, you need to enable it using network policy. Some suggestions and for your reference:
1. Add role services Network Policy Server of Network Policy and Access Services on your VPN device. Once the NPS is installed, your VPN server will use it to configure authentication and accounting providers by default.
2. Open Routing and Remote Access, right click VPN server and select Properties, open Security tab, click Authentication Method, select the check box Unencrypted Passwords(PAP). Save the changes.
3. Open NPS on the VPN device. Right click Network Policy and click New. Type a name for this policy and click next – add specify condition – select Authentication Type and click add – select PAP and click OK, click next – Access granted and click next – select PAP,SPAP only and uncheck other authentication methods. --> this policy is used to enable PAP.

Source: https://social.technet.microsoft.com/Forums/lync/en-US/593efd18-c5c1-4508-924c-c8888981c717/pptp-with-pap-error-942?forum=winserverPN

…now my L2TP Connection is working with PAP. I will now switch on RADIUS and see if I can get the DUO Auth Proxy working…

Edit/Update:

Ok. Now I switched to RADIUS and pointed it to the DUO Server.

The VPN Connection now times out and the VPN Server logs: Warning: Remote RADIUS server has not responded

This monitor returns the number of events when the remote RADIUS server has not responded to consecutive requests.

Type of event: Warning. Event ID: 36.

You should manually check the availability of the remote RADIUS server.

The connection tool says RADIUS is listening. There are no firewall rules inbetween the two servers.

Any ideas?

Cheers
Uwe

PowerValve
Level 1
Level 1

Hi all

I installed another server with 2008R2 with DUO just to be save and copied the conf file. Then edited the Radius IP on the RRAS Server.

I still have the same issue. Connection times out. No response from radius. Anything I can use to troubleshoot?

Cheers
Uwe

Edit: I found it: I used nRadius to troubleshoot the connection to the Radius. Error message was “connection refused”. That made me look into the config file again. Figured that the netmask of the Radius Clients IP range didn’t match the IP Address of the RRAS Server…

Now it’s working.

Thanks for all the help!
Uwe

rnavero
Level 1
Level 1

I’m having the same problem, but I can’t solve it, someone could help me in this matter.
This log is shown below.

[info] Section [radius_client]
[warn] The RADIUS Client section has connectivity problems
[error] We cannot confirm that the Auth Proxy was able to establish a RADIUS con
nection to x.x.x.x:1812. In the case of an actual failure this may be due
to a misconfigured secret or network issues. This may also happen if the upstre
am RADIUS Server does not support the Status-Server message
[info]

I using this configuration.

[main]
debug=true

[radius_client]
host=x.x.x.x
secret= secretkey

[radius_server_challenge]
ikey=
skey=
api_host=
radius_ip_1=q.q.q.q
radius_secret_1= secretkey
radius_ip_2=y.y.y.y
radius_secret_2= secretkey
radius_ip_3=w.w.w.w
radius_secret_3= secretkey
radius_ip_4=x.x.x.x
radius_secret_4=secretkey
client=radius_client
port=1812

@rnavero If you are pointing the Duo Authentication Proxy to NPS as a RADIUS client, it is known that NPS does not support the Status-Server message so that output from the connectivity tool is expected. You would be better served by enabling debug logging on the Duo proxy and looking at that output to see what is happening. Here is a guide that may help you.

Common causes of RADIUS client authentication from the Duo proxy to NPS are that the Duo proxy wasn’t added to NPS as a RADIUS client correctly, or an encryption mismatch between the Duo proxy and NPS.

If you need further assistance troubleshooting, consider contacting Duo Support.

Duo, not DUO.

Thanks for the clarification, but it does not work with ACS 5.5 from Cisco, I am having numerous problems due to incomatibility.

I’m sorry to hear you’re having issues @rnavero.

This thread was about RRAS/NPS. Consider creating a new post about your issue specifying Cisco ACS in the subject to engage the community about that specific device.

Duo, not DUO.

jwaits
Level 1
Level 1

Just throwing in some extra data here. Auth Proxy 4.0 doesn’t work for us with NPS as a radius client - we were getting timeouts. LDAP clients work just fine, but our FortiClient pointing to radius/NPS broke on upgrading to 4.0. Immediately rolling back to 3.2.4 fixed issue. Instead of having 2 Auth Proxies for my network gear/VPN, we now have 4: 2 on 3.2.4 for VPN and 2 on 4.0.1 for network device login.

I gave up on working with support after a few days and just built extra servers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links