Juniper Security Director -- DUO RADIUS does two pushes


#1

So, I’ve installed Juniper Space, and configured the authentication to use our duo proxy via the RADIUS configuration. Whenever I log in to the Network Management Platform, two-factor works fine. However, if I switch over to Security Director (an application on top of Network Management), and if I get logged out – when I log back in to it it will push the two factor out to my device twice. I’m not really sure because it’s basically the same product, but I was wondering if anybody else has run into this issue and can provide some insight.

I’ve configured other services this way and it works great. This is the first real weird issue I’ve had. Thank you in advance for advice and ideas.


#2

So if I understand what you’ve described here, when you log into Network Management you get one push, and then you can switch to Security Director without an additional Duo authentication request.

When you are logging back in after getting logged out, are you logging back into Network Management? Is it possible to log into Security Director directly, and if so are you protecting that with Duo as well?

The Duo Authentication Proxy’s debug log can help you figure out if this is one authentication request with two second-factor pushes, or two separate authentications. We have a comprehensive guide to understanding the Authentication proxy debug output in our knowledge base. I suggest you enable debug logging and examine the logs to see what’s happening.

For example, if in the debug log you see successful primary authentication followed by the Duo request twice, that may mean that your Juniper device isn’t receiving the access accept packet in time. Perhaps there is a timeout setting in Juniper that you can increase.


#3

Thank you for taking the time to detail this out for me. So Security Director is an application built on top of Network Management, so once you are signed in to one, you’re signed in to the other. Basically, once you’re authenticated, you can access both applications. If you log out while you’re in Security Director, you get a different login page as to when you log out when you switch over to the Network Management context.

In the DUO logs, I’m seeing that there are two login requests sent almost simultaneously from the Security Director application to our DUO proxy server. I have a case open with Juniper that they are happily ignoring at the moment, but I will keep pressing for a solution. If I do find out the cause, I will post here.


#4

I’m interested to hear what Juniper has to say about it!


#5

So, I got Juniper to confirm that they are sending two REST api calls to log you in once the cookie shows you are logged in to their security director product. They said that they MIGHT fix it in their version currently in development (17.1). As of now using the Duo Auth Proxy Radius is considered ‘unsupported’.

For now, if we don’t want to accept 2 pushes to our devices (or use my Yubikey or a passcode), I have to use incognito mode in Chrome such that it presents me with the Network Management (or I’ve since learned they refer to it as "Platform).

Just a note, we’ve been talking to different vendors for these web-based management platforms and they seem surprised that we want to use two factor on their products. But, the way I look at it, if we expect others to use 2FA for their daily workflows, we should use it too.


#6

That’s a interesting response, both from Juniper about the two API calls at auth AND that any vendor would be surprised to hear that a customer wanted to secure admin logins. Thanks for the follow up!