Solved: DUO RADIUS MSCHAPv2 Change Default Device

kjwilso · ‎11-01-2018

Hello,

I have a customer that’s looking to setup DUO for their SonicWALL SSLVPN appliance. The firmware is 8.6+ so we can’t use the web console we have setup RADIUS auth and it’s working fine.

My issue is since we are using MSCHAPv2 the users can’t append their 2FA choice at login since the DUO proxy can’t see the password string so it defaults to the DUO app.

Most of the clients are using the DUO Moble App but a select few sometimes have the need to connect to the VPN but they won’t have their devices handy so they want the ability to add a landline to their account and use that to connect to the VPN.

My issue/question when I try and test this even when I use the self-service portal to change the default device to the landline and then connect to the VPN it always sends a push and never a call. If I remove the mobile device from the users profile it makes a call without issue. Is there a way to make the call work while keeping the mobile device setup on the users profile?

Thanks.

DuoKristina · ‎11-01-2018

Autopush defaults to contacting the first push-capable device attached to a user. This is why it skips over calling phone1 in favor of a push to phone2.

Why did they choose to use MSCHAPv2? If don’t specifically need to use it and switched to PAP they could append a factor selection by name to the password.

In order to provide factor selection with additional guidance in the form of a text-based 2FA prompt it is sometimes possible to switch the config from [radius_server_auto] to [radius_server_challenge]. You can learn more about this option here: Duo Authentication Proxy Reference | Duo Security .

However, I have some notes from a few years ago that said RADIUS Challenge did not work on an SRA 1200, with a (now defunct) link to a SonicWALL support forum post with the quote “We do not support Access-Challenge as a general interactive login process. We do support it within the context of RSA SecurID’s special modes (new PIN, next token, etc).” So, you might want to verify with SonicWall that their SRA/SMA fully supports RADIUS Challenge for login before exploring this alternative.

Duo, not DUO.

View solution in original post

DuoKristina · ‎11-01-2018

Autopush defaults to contacting the first push-capable device attached to a user. This is why it skips over calling phone1 in favor of a push to phone2.

Why did they choose to use MSCHAPv2? If don’t specifically need to use it and switched to PAP they could append a factor selection by name to the password.

In order to provide factor selection with additional guidance in the form of a text-based 2FA prompt it is sometimes possible to switch the config from [radius_server_auto] to [radius_server_challenge]. You can learn more about this option here: Duo Authentication Proxy Reference | Duo Security .

However, I have some notes from a few years ago that said RADIUS Challenge did not work on an SRA 1200, with a (now defunct) link to a SonicWALL support forum post with the quote “We do not support Access-Challenge as a general interactive login process. We do support it within the context of RSA SecurID’s special modes (new PIN, next token, etc).” So, you might want to verify with SonicWall that their SRA/SMA fully supports RADIUS Challenge for login before exploring this alternative.

Duo, not DUO.

kjwilso · ‎11-05-2018

Hello,

Thanks for the update on this post. The reason I was told they use MSCHAPv2 is to help with users changing passwords remotely but I will double check that.

The security person in charge does not like PAP as they say it’s insecure so they want to stay with MSCHAPv2.

Now I now it will always default to a push if they user have one in their profile that might make them change their mind but this issue is for a very small subset of users so I think they will just make them user their device if needed.

Thanks,

Ken

DuoKristina · ‎11-06-2018

They can try using RADIUS Challenge with MSCHAPv2, but like I said, I am not sure that SonicWALL fully supports challenge.

Duo, not DUO.