KEMP LoadMaster (load balancer) and DUO Auth Pxy


#1

Anyone have experience in successfully implementing the Duo Security Authentication Proxy behind a KEMP LoadMaster (load balancer) appliance array ?

We are attempting to move from proof-of-concept to production deployment that will include HA for the auth pxy service. All the pieces are in-place for the HA and each of the HA hosts can individually accept connections and complete the MFA authentication requests. However, the VIP connection does not work on our Kemp Loadmaster 3600 array and that VIP settings options were changed to resolve without success.

This support document was followed >> https://help.duo.com/s/article/authentication-proxy-availability?language=en_US


#2

Is it the inbound auth request to the IP address assigned to the virtual service in front of the Authentication Proxy servers that isn’t working, or the connection from the Kemp virtual server to the Authentication proxy “real servers”?

Looking at https://support.kemptechnologies.com/hc/en-us/articles/203861485-Virtual-Services-and-Templates it seems like you’d create a virtual service VIP for your incoming authentication (you didn’t mention if you’re setting up Duo for RADIUS or LDAP, but specify the same port used for your incoming auth requests e.g. RADIUS 1812, etc.), and be sure and when you create this to use IP or Active Cookie persistence).

Next add a real server entry for each of your Duo Authentication Proxy servers, again using whatever port you configured for your authentication requests.


#3

Our KEMP analyst has made small changes for the VIP from TCP to UDP. We are now seeing some improvement in this issue. We are now getting mobile device app Approve / Deny push request but the Approve answer does not look like it gets sent back to complete the authentication and eventually the connection fails. Some clarity on how the Duo Pxy Auth requests get passed around between on prem servers and DUO cloud would be helpful.


#4

From https://duo.com/docs/radius#network-diagram

Sounds like you’re stuck at step #6. If you enable debug logging on your Authentication Proxy servers and examine the output, do you never receive a response back after the POST to your Duo API host? Does your firewall permit inbound connectivity from duosecurity.com (or at least from your API hostname api-xxxxxxxx.duosecurity…)?

This is heading beyond the scope of a community post, so I suggest you contact Duo Support or your SE/SE team for assistance. That way we can review your debug logs with you, check our server-side logs, and perform other in-depth troubleshooting steps.