Multiple push attempts when using Duo with LDAP on Brocade FOS switches

Chad_Harris · ‎07-15-2019

Hello Duo Forum,

In our environment, we are moving towards using Duo 2FA for AD authentication via LDAP Linux proxies for our Broadcom (Brocade) FOS switches. We are finally to the point where we able to make the connection however it takes multiple Duo pushes (4 to be exact) until the connection is actually successful. I have looked through the forum to try to find anyone else who has come across this issue. I have found folks that did have issues that were similar, DUO LDAP Proxy multiple pushes, but the suggested fixes did not resolve the issues we are seeing on our end: setting both allow_searches_after_bind and allow_unlimited_binds to true.

ikokics · ‎07-29-2019

Hello Chad!

We had the exact same problem with our Brocade FOS devices. We have contacted DUO Team multiple times, but our final solution was to use RADIUS as remote authentication service instead of LDAP. Since we using RADIUS we are able to perfectly login with only 1 push.

Hope this helps you.
István Kokics

DuoKristina · ‎07-29-2019

@Chad_Harris,

How familiar are you with the LDAP authentication sequence performed by the Brocade device? Those options you mentioned only have an effect if the authentication sequence includes specific operations.

The allow_searches_after_bind option permits the authenticating device to bind once and then perform multiple LDAP directory searches through the Duo proxy without binding again. When that option is not enabled (the default), the Duo proxy expects each LDAP search to be preceded by a new LDAP bind. If your device is not attempting to perform multiple searches with one bind then this would not help.

Enabling the allow_unlimited_binds option means that the Duo proxy will not require a new LDAP bind to occur in a new LDAP connection after completion of a 2FA request.

Do you know if the Brocade is either trying to perform multiple LDAP searches with one LDAP bind, or if it is trying to perform multiple LDAP binds after 2FA completion in one connection? You can look at the Duo authentication proxy debug output to follow the LDAP sequence. This article describes enabling debug output, and this article is an in-depth guide to interpreting the proxy debug output. You would want to focus on LDAPBindRequest and LDAPSearchRequest operations.

Or, you could try RADIUS instead as @ikokics suggests. Note that it isn’t possible to pass LDAP attributes (like group membership) back to the device when using Duo RADIUS 2FA with LDAP as primary auth.

Duo, not DUO.

ikokics · ‎07-29-2019

FYI: We already tried to solve this problem with the support of DUO team.
Here is the write-up by the Duo Tech, Ray who ■■■■isted us. The Duo ticket #00281597

From our conversation, we were able to confirm the authentications from the Brocade storage device was relaying 4 separate authentications when a user was attempting to log in. This resulted in 4 push notifications. Currently, Brocade is not able to reduce the number of authentications, as each authentication is sent to retrieve LDAP attributes from AD. This led you to looking into any options on consolidating the authentications to 1 authentication in the Duo Authentication Proxy. Currently, this is not available in the Duo Authentication proxy. I will be relaying this is a risk that you require Duo second factor, and is considered high priority for IBM.

The device makes 4 totally independent LDAP bind/search.

DuoKristina · ‎07-30-2019

Ah, thanks. That’s unfortunate that the device insists on four independent binds.

Duo, not DUO.