Duo Radius proxy


#1

I dont understand what I’m missing.
I have authentication set up and a Radius proxy running on a Linux box.
Linux box has Internet access.

My authentication to AD passes.
Then I can see in tcpdump, that the authentication request is sent to the Radius gatewaye.
Then I can also see that the Radius gateway sends the request to Duo in my tcpdump.

However NOTHING every comes back, and there’s nothing logged to Duo. It just gets lost somewhere…


#2

Care to share your authproxy.cfg file? Remove any passwords or other sensitive info.


#3

[radius_server_duo_only]
ikey=hgjkghjkeghfhjkglklh
■■■■
api_host=■■■■
radius_ip_1=10.10.92.40
radius_secret_1=SUPERSEKRET
failmode=safe
port=1812

[ad_client]
host=10.10.92.40
service_account_username=serviceaccount
service_account_password=SUPERSEKRET
search_dn=OU=Domain_Users,DC=nothing,DC=net


#4

I am running a similar config but I have the following…

[ad_client]
host=
service_account_username=LDAPUser
service_account_password=
search_dn=dc=$$$$,dc=com

[radius_server_auto]
ikey=
skey=
api_host=
client=ad_client
radius_ip_1=
radius_secret_1=
failmode=safe

I am assuming you have a “skey=” line in your config…

You can also enable some debug by adding the below to your config file…

[main]
debug=true


#5

Yep. ikey, skey, debug enabled.
duoauthproxy.lib.duo_async.DuoAPIFailOpenError: API Request Failed: TimeoutError(’’,)


#6

Hey there Pat_Labine!

That error indicates that the Duo proxy experienced an issue contacting the Duo API host. Take a look here for some tips.

For the api_host value, ensure you have just the hostname only and didn’t enter it as a URL e.g. https://api-xxxx....

Also, [radius_server_duo_only] means that the Duo proxy isn’t going to attempt to handle primary authentication, so it ignores the [ad_client] config. If you want to use duo_only, then you don’t need ad_client.

Are those your actual IPs? I notice that you specified the same IP for an AD domain controller (host=10.10.92.40 in [ad_client]) as was used for the RADIUS device passing the authentication request to the Duo proxy server (radius_ip_1=10.10.92.40). If this is just an example IP, never mind!


#7

All the tests pass. I’ve determined that it’s probably a wed-proxy issue.

The web request from the duo-proxy to Duo has to go through a web proxy.
I have au http_proxy=10.10.0.4:80 in the config file, but it doesn’t seem to work.
http_proxy=http://10.10.0.4:80 doesn’t work either.


#8

Ah, I think you might just be using the wrong proxy option.

You should use http_proxy_host and http_proxy_port, documented here under the “Main Section”.

For example…

http_proxy_host=10.10.0.4
http_proxy_host=80

The [http_proxy] configuration section is used when the Duo Authentication Proxy itself is acting as an HTTP proxy for Duo applications on other systems.