Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
1
Replies

Netscaler Auto Push / RFWebUI Theme

bgre033
Level 1
Level 1

‎05-15-2019 01:36 PM

Hi,

I’ve got the basics of Duo MFA working, but would like the following modifications.

  1. Automatic push (without the inline page), as per Push as default on Netscaler?.
  2. Use the RFWebUI theme, as per https://help.duo.com/s/article/3755?language=en_US.

Both of the above are supposedly achievable via the same method, by removing the [radius_server_iframe] section from the config files. In my case, since I’m using Duo as secondary authentication, the config file should look like below.

[duo_only_client]
 
[radius_server_duo_only]
ikey=xxx
skey=xxx
api_host=xxx
failmode=safe
radius_ip_1=192.168.190.10
radius_secret_1=xxx
port=1812

But if I do this, authentication starts failing (regardless of which Netscaler Theme I use). Log extract below.

2019-05-11T13:24:58+1200 Duo Security Authentication Proxy 3.0.0 - Init Complete
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] Sending request from 192.168.190.10 to radius_server_duo_only
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] Received new request id 38 from (‘192.168.190.10’, 36188)
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] ((‘192.168.190.10’, 36188), 38): login attempt for username u’gregor.blaj’
2019-05-11T13:26:00+1200 [DuoForwardServer (UDP)] http POST to https://■■■■:443/rest/v1/preauth
2019-05-11T13:26:00+1200 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Got preauth result for: u’auth’
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] Invalid ip. Ip was None
2019-05-11T13:26:01+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■:443/rest/v1/auth
2019-05-11T13:26:01+1200 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/auth>
2019-05-11T13:26:01+1200 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Duo authentication returned ‘deny’: ‘Incorrect passcode. Please try again.’
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Returning response code 3: AccessReject
2019-05-11T13:26:02+1200 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((‘192.168.190.10’, 36188), 38): Sending response
2019-05-11T13:26:02+1200 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>

Although this log points to ‘Incorrect passcode’, this isn’t right, as the passcode works if I don’t remove the [radius_server_iframe] section.

Any help appreciated.

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎05-22-2019 02:53 PM

It’s hard to tell what is happening from the client side if it wasn’t in fact an invalid passcode being submitted. I recommend you open a case with Duo Support for 1:1 troubleshooting. The support engineer can examine the events on the service side for additional information.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents