NPS + Duo Auth Proxy - response packet has invalid authenticator

aaroncarson · ‎07-10-2021

Hey folks - hope you’re all keeping well!

Just following through this guide to get Unifi VPN + Duo Authentication Proxy set up together, and my EdgeRouter X is happily sending RADIUS requests to DAP, but DAP is not liking the response from Windows Server 2019’s Network Policy Server.

Any ideas?

2021-07-10T16:09:19.650974+0000 [duoauthproxy.lib.log#info] Packet dump - received from 10.0.0.11:
2021-07-10T16:09:19.651204+0000 [duoauthproxy.lib.log#info] <gubbins that I expect should not be public>
2021-07-10T16:09:19.651490+0000 [duoauthproxy.lib.log#info] dropping packet from 10.0.0.11:1812 - response packet has invalid authenticator
2021-07-10T16:09:21.650664+0000 [duoauthproxy.lib.log#info] Request timeout for (outgoing) id 111. Hosts tried {('10.0.0.11', 1812)}
2021-07-10T16:09:21.651341+0000 [duoauthproxy.lib.log#info] (('10.0.0.1', 37393),aaroncarson, 90): Error performing primary authentication: RADIUS auth request timed out

Amy2 · ‎07-12-2021

Hey @aaroncarson and welcome to the Duo Community! So far, I’m not finding anything that would help you based on the info you have provided here. For the fastest assistance with this issue, I recommend contacting our Duo Support team to open a case. You’ll want to enable debugging logs on the Duo Authentication Proxy if you have not already done so and include the file output in your support request. You could also use this guide to try to interpret the Auth Proxy debug logs yourself.

aaroncarson · ‎07-12-2021

Hey, thanks so much for searching for me.

I’ve enabled debug logging but I don’t seem to get anywhere near as much information as I’d expect

I will log a support case - wasn’t sure if it was an option for Duo free accounts hence coming here.

Thank you so much!