Netscaler Auto Push / RFWebUI Theme

#1

Hi,

I’ve got the basics of Duo MFA working, but would like the following modifications.

  1. Automatic push (without the inline page), as per Push as default on Netscaler?.
  2. Use the RFWebUI theme, as per https://help.duo.com/s/article/3755?language=en_US.

Both of the above are supposedly achievable via the same method, by removing the [radius_server_iframe] section from the config files. In my case, since I’m using Duo as secondary authentication, the config file should look like below.

[duo_only_client]
 
[radius_server_duo_only]
ikey=xxx
skey=xxx
api_host=xxx
failmode=safe
radius_ip_1=192.168.190.10
radius_secret_1=xxx
port=1812

But if I do this, authentication starts failing (regardless of which Netscaler Theme I use). Log extract below.

2019-05-11T13:24:58+1200 Duo Security Authentication Proxy 3.0.0 - Init Complete
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] Sending request from 192.168.190.10 to radius_server_duo_only
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] Received new request id 38 from (‘192.168.190.10’, 36188)
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] ((‘192.168.190.10’, 36188), 38): login attempt for username u’gregor.blaj’
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] http POST to https://■■■■:443/rest/v1/preauth
2019-05-11T13:26:00+1200 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Got preauth result for: u’auth’
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] Invalid ip. Ip was None
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■:443/rest/v1/auth
2019-05-11T13:26:01+1200 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/auth>
2019-05-11T13:26:01+1200 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Duo authentication returned ‘deny’: ‘Incorrect passcode. Please try again.’
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Returning response code 3: AccessReject
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Sending response
2019-05-11T13:26:02+1200 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>

Although this log points to ‘Incorrect passcode’, this isn’t right, as the passcode works if I don’t remove the [radius_server_iframe] section.

Any help appreciated.

#2

It’s hard to tell what is happening from the client side if it wasn’t in fact an invalid passcode being submitted. I recommend you open a case with Duo Support for 1:1 troubleshooting. The support engineer can examine the events on the service side for additional information.