Duo with Fortigate IPSec VPN problem

Hi,

I followed the procedure that explains how to setup Duo for Fortigate’s SSL VPN as i was told that it should work for IPSec VPN connections also.

Everything works as expected but the problem is that the connection still works even before i receive the push notification on my cell. And even if i decline the connection, it still works fine…

So the radius server configuration works fine in the Fortigate, but the VPN connection gets established without me having to approve it beforehand.

What am i missing ??

Hello,

What does appear in the Radius server logs? I mean, the Radius should not send any Accept-Accept message before your Duo approval.

It it does, you need to look into your Radius server configuration.

Regards,
Antony

Are you talking about the following file on the authentication proxy ?
C:\Program Files\Duo Security Authentication Proxy\log\authproxy.log

If so, here’s the log content from my latest test :

2021-10-20T09:56:25.887067-0400 [duoauthproxy.lib.log#info] Sending request from x.x.x.x to radius_server_auto
2021-10-20T09:56:25.887067-0400 [duoauthproxy.lib.log#info] Received new request id 22 from (‘x.x.x.x’, 13457)
2021-10-20T09:56:25.887067-0400 [duoauthproxy.lib.log#info] ((‘x.x.x.x’, 13457), username, 22): login attempt for username ‘username’
2021-10-20T09:56:25.887067-0400 [duoauthproxy.lib.log#info] Sending AD authentication request for ‘username’ to ‘x.x.x.x’
2021-10-20T09:56:25.887067-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x00000076A3753BB0>
2021-10-20T09:56:25.902689-0400 [duoauthproxy.lib.log#info] Got signature length 16
2021-10-20T09:56:25.918314-0400 [duoauthproxy.lib.log#info] Got signature length 16
2021-10-20T09:56:25.918314-0400 [duoauthproxy.lib.log#info] Got signature length 16
2021-10-20T09:56:25.933938-0400 [duoauthproxy.lib.log#info] Got signature length 16
2021-10-20T09:56:25.933938-0400 [duoauthproxy.lib.log#info] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth
2021-10-20T09:56:25.933938-0400 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: b’hxxps://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth’>
2021-10-20T09:56:25.933938-0400 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x00000076A3753BB0>
2021-10-20T09:56:26.027687-0400 [duoauthproxy.lib.log#info] ((‘x.x.x.x’, 13457), username, 22): Got preauth result for: ‘auth’
2021-10-20T09:56:26.027687-0400 [duoauthproxy.lib.log#info] hxxp POST to hxxps://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth
2021-10-20T09:56:26.027687-0400 [duoauthproxy.lib.hxxp._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: b’hxxps://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth’>
2021-10-20T09:56:26.027687-0400 [duoauthproxy.lib.hxxp._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: b’hxxps://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth’>
2021-10-20T09:56:39.140954-0400 [duoauthproxy.lib.log#info] ((‘x.x.x.x’, 13457), username, 22): Duo authentication returned ‘allow’: ‘Success. Logging you in…’
2021-10-20T09:56:39.140954-0400 [duoauthproxy.lib.log#info] ((‘x.x.x.x’, 13457), username, 22): Returning response code 2: AccessAccept
2021-10-20T09:56:39.140954-0400 [duoauthproxy.lib.log#info] ((‘x.x.x.x’, 13457), username, 22): Sending response
2021-10-20T09:56:39.140954-0400 [duoauthproxy.lib.hxxp._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: b’hxxps://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth’>

Here are the steps I take :

  1. I initiate a VPN connection from the Forticlient on my computer
  2. When I click “Connect”, I do receive a push notification on my Duo app for approval
  3. Even before I hit “Approve”, the VPN connection gets established
  4. Even if I hit “Deny” (or don’t respond), the VPN connection gets established

Hi @GDumaresq, yes you are correct that that is your Duo Authentication Proxy debug log. From what you’ve shared here, it looks to me like everything is right and authentication is happening successfully, but I certainly could be wrong. You can always refer to the guide on how to interpret and troubleshoot Duo Authentication Proxy debug logs here for help reading these. I recommend contacting support for further help with this, but please be aware that we are currently experiencing higher than typical volume of support requests, so responses may be delayed.

For faster support, please contact us by phone using the numbers listed duo.com/support . While waiting, we recommend you choose the option to receive a callback to limit your time on hold even further. Our highest volume tends to be Monday through Friday, 10AM ET - 4PM ET (1400 - 2000 UTC). Please consider reaching out to us outside of these hours.

Hi @Amy ,

Actually, i did get this working with the help of a Duo engineer.

Thanks for the reply.

1 Like

Great, I’m glad to hear you were able to get this working!