DUO Proxy: Radius doesn't seem to answer


#1

Hi all

I am trying to setup a duo proxy to add 2fa to our rras server.

So I installed the duo proxy on a fresh 2016 server, configured the conf file and setup AD sync. It synced a newley created group just fine. I also enrolled my user.

On the RRAS Server I switched to RADIUS Authentification, added the IP address and the shared secret of the Duo Server.

When I try to connect to the vpn it prompts for username/password. I tried “domain\user” and “password,push”, but no matter what I do, i am just getting a timeout.

So I opened a netstat -a on the Duo server to search for incoming connections, but there is nothing.
I tried a telnet to port 1812 on the Duo server but no answer.

Any ideas? Thanks in advance!

Cheers
Uwe

here is my config (I XXXXX’ed some parts…)
_
[cloud]
ikey=DI----------------DO
skey=12e1fv-------------------------z4ToiE
api_host=■■■■

[ad_client]
; The hostname or IP address of your domain controller
host=10.1.111.5
host_2=10.1.111.4
host_3=10.1.111.1
service_account_username=svc2fa
service_account_password=xxxxxxxxxx
search_dn=DC=xxxxxxxxx,DC=local

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxxx
■■■■
api_host=■■■■
radius_ip_1=10.0.1.15
radius_secret_1=DuoSecurityIsTheKey
failmode=safe
client=ad_client
port=1812


#2

Can’t telnet to it, it is UDP port 1812. Make sure that is allowed thru the Windows firewall… (Or disable just for testing)


#3

Hi @PowerValve!

Duo Authentication Proxy 2.9.0 includes a connectivity tool that can help you troubleshoot this - authproxy_connectivity_tool.exe. You can run this from a Windows command prompt to test whether the server is listening on the specified RADIUS port.

Here are detailed instructions for running the connectivity tool.

If you are running a firewall on the proxy server be sure you’ve permitted connections on UDP 1812.


#4

Thanks for the quick reply.

Duo thinks the time is off. But it is in sync with the DC. Weird. (The time stamps in the logfile are our current local time…)

Any thoughts?

2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#warn] The RADIUS Server has connectivity problems.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy was able to ping Duo at ■■■■ with a latency of 695.9398 milliseconds.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#error] The time drift between the Auth Proxy host and Duo is excessively high, at 1529480225.25 seconds. This could interfere with user authorizations. Ensure the Auth Proxy host’s time is correct, for instance by enabling NTP.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy was able to validate the provided API credentials.
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] The Auth Proxy will be able to accept connections on port 1812 on all interfaces
2018-06-20T09:37:06+0200 [duoauthproxy.lib.log#info] -----------------------------


#5

Please ignore that erroneous time drift message. We’re aware of this bug with the tool. I should have mentioned that!

More relevant is the output that says it should be able to accept connections on 1812. You might want to try a packet capture to see what’s happening.


#6

thanks, I will… Now i ran into a message saying that the connection cannot complete because “the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server”

So I need to dig into that policy stuff first to make PAP “legal”… Any hint would be appreciated…

I’ll be back.

Cheers
Uwe


#7

Make sure that both RRAS to the Duo proxy and the Windows client to RRAS connections are using PAP (the client should also be using SSTP or L2TP for encryption).


#8

that Server was a backup L2TP Server before. I just changed from chapv2 to pap on both the client and the server and got that message.

Now I try to find the policy in the NPS console that doesn’t allow PAP


#9

Took it step by step, rolled back to my working L2TP/Windows Auth setup and changed to PAP first. The same error showed up.

Finally I found it. Might make sense to include that part in the RRAS Duo how-to.
On old 2003 Servers there was no network policy.

The PAP Authentification Methode doesn’t work on a freshly installed Windows RRAS Server even if you enable it in RRAS Manager/Authentication Methodes. It needs to be enabled by creating a new policy in NPS:

That means, if you need to use PAP as Authentication Method, you need to enable it using network policy. Some suggestions and for your reference:
1. Add role services Network Policy Server of Network Policy and Access Services on your VPN device. Once the NPS is installed, your VPN server will use it to configure authentication and accounting providers by default.
2. Open Routing and Remote Access, right click VPN server and select Properties, open Security tab, click Authentication Method, select the check box Unencrypted Passwords(PAP). Save the changes.
3. Open NPS on the VPN device. Right click Network Policy and click New. Type a name for this policy and click next – add specify condition – select Authentication Type and click add – select PAP and click OK, click next – Access granted and click next – select PAP,SPAP only and uncheck other authentication methods. --> this policy is used to enable PAP.

Source: https://social.technet.microsoft.com/Forums/lync/en-US/593efd18-c5c1-4508-924c-c8888981c717/pptp-with-pap-error-942?forum=winserverPN

…now my L2TP Connection is working with PAP. I will now switch on RADIUS and see if I can get the DUO Auth Proxy working…

Edit/Update:

Ok. Now I switched to RADIUS and pointed it to the DUO Server.

The VPN Connection now times out and the VPN Server logs: Warning: Remote RADIUS server has not responded

This monitor returns the number of events when the remote RADIUS server has not responded to consecutive requests.

Type of event: Warning. Event ID: 36.

You should manually check the availability of the remote RADIUS server.

The connection tool says RADIUS is listening. There are no firewall rules inbetween the two servers.

Any ideas?

Cheers
Uwe


#10

Hi all

I installed another server with 2008R2 with DUO just to be save and copied the conf file. Then edited the Radius IP on the RRAS Server.

I still have the same issue. Connection times out. No response from radius. Anything I can use to troubleshoot?

Cheers
Uwe

Edit: I found it: I used nRadius to troubleshoot the connection to the Radius. Error message was “connection refused”. That made me look into the config file again. Figured that the netmask of the Radius Clients IP range didn’t match the IP Address of the RRAS Server…

Now it’s working.

Thanks for all the help!
Uwe