Duo Radius Proxy for Meraki Client VPN


#1

So, I’ve been trying to get this working for a bit. Here and having some issues.
I’ve thoroughly confused myself. It seems that the easiest way to set this up is to use
[ad_client] and [radius_server_auto]
I’ve pointed my meraki client vpn to the ip address of the duo proxy and my configuration is as follows

[ad_client]
host=192.168.2.10(IP of our only AD server)
service_account_username=duuser
service_account_password=password
search_dn=cn=Users,dc=cps,dc=local
[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxx
api_host=■■■■
radius_ip_1=192.168.2.1(IP of our meraki)
radius_secret_1=supersekret
client=ad_client
port=1812
failmode=safe

Unfortunately I’m not able to login… I get the following in my logs…

2018-03-17T16:27:26-0400 [-] Duo Security Authentication Proxy 2.7.0 - Init Complete
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Packet dump - received from 192.168.2.1:
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] "\x01c\x00Og\xfeJ[8\xc1'\xcf\xc0\x01\x89\x0f\xdc\x14\\U\x06\x06\x00\x00\x00\x02\x07\x06\x00\x00\x00\x01\x01\x06mark\x02\x12\xdaB5\xe1\x97 \xfc\x0f\x07W\xbb&\x9fM`>\x1f\x0bCLIENTVPN\x04\x06\x06\xe2[P\x05\x06\x00\x00\x00\x01"
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Sending request from 192.168.2.1 to radius_server_auto
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Received new request id 99 from ('192.168.2.1', 57851)
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] (('192.168.2.1', 57851), 99): login attempt for username u'mark'
2018-03-17T16:27:35-0400 [DuoForwardServer (UDP)] Sending AD authentication request for 'mark' to '192.168.2.10'
2018-03-17T16:27:35-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033514D0>
2018-03-17T16:27:35-0400 [Uninitialized] C->S LDAPMessage(id=1, value=LDAPBindRequest(version=3, dn='<ROOT>', auth='*****', sasl=True))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=1L, value=LDAPBindResponse(resultCode=14L, serverSaslCreds=LDAPBindResponse_serverSaslCreds(value='NTLMSSP\x00\x02\x00\x00\x00\x06\x00\x06\x008\x00\x00\x00\x05\x82\x89\x02K[OZ\xbf\x93\xfa\x9b\x00\x00\x00\x00\x00\x00\x00\x00~\x00~\x00>\x00\x00\x00\n\x0098\x00\x00\x00\x0fC\x00P\x00S\x00\x02\x00\x06\x00C\x00P\x00S\x00\x01\x00\x0e\x00C\x00P\x00S\x00D\x00A\x00T\x00A\x00\x04\x00\x12\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x03\x00"\x00C\x00P\x00S\x00D\x00a\x00t\x00a\x00.\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x05\x00\x12\x00c\x00p\x00s\x00.\x00l\x00o\x00c\x00a\x00l\x00\x07\x00\x08\x00\x19K\xdab.\xbe\xd3\x01\x00\x00\x00\x00')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=2, value=LDAPBindRequest(version=3, dn='<ROOT>', auth='*****', sasl=True))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=2L, value=LDAPBindResponse(resultCode=0L, serverSaslCreds=LDAPBindResponse_serverSaslCreds(value='')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=3, value=LDAPSearchRequest(baseObject='cn=Users,dc=cps,dc=local', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■ion(value='sAMAccountName'), assertionValue=LDAPAssertionValue(value=u'mark'))]), attributes=('sAMAccountName', 'msDS-PrincipalName')))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=3L, value=LDAPSearchResultDone(resultCode=0L))
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=4, value=LDAPUnbindRequest())
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Primary credentials rejected - Invalid User
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Returning response code 3: AccessReject
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] (('192.168.2.1', 57851), 99): Sending response
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] Packet dump - sent to 192.168.2.1:
2018-03-17T16:27:36-0400 [_ADAuthClientProtocol,client] '\x03c\x00"\x14\'\xfb\x1c\xa5\xec\xc6R\xdd\xc3\x9eN\x98\x19\xc1\x12\x12\x0eInvalid User'
2018-03-17T16:27:36-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x033514D0>

Thanks in advance.

Mark


#2

Hi there Mark!

Your log shows that after the initial LDAP bind to your domain controller, the Duo server issues a search for a user/person, inetOrgPerson, or organizationalPerson (those are all LDAP object classes and categories) with the sAMAccountName or MsDS-PrincipalName (which is domain\user) = mark, in the cn=Users,dc=cps,dc=local container. The search returns no results.

There are a few possible reasons for this:

  1. “mark” is not the sAMAccountName.
  2. “mark” is not in the Users container, but is in a different OU (set the base DN to dc=cps,dc=local)
  3. Mark is not a user/person LDAP object.

Can you check the LDAP attributes of the “mark” user?