Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1919
Views
0
Helpful
1
Replies

NPS says user is approved, but Duo proxy keeps saying "challenge"

wingphil
Level 1
Level 1

‎09-10-2018 02:35 AM

Hi all,

I am trying to use Duo to add 2FA to our wifi access. I have two Cisco WAP121s set up with NPS, and it works without Duo in the mix. Authentication type is PEAP with EAP-MSCHAPv2.

When I add the Duo proxy in between, I get messages in the NPS event log saying “Network Policy Server granted access to a user” - but the Duo proxy thinks NPS is returning a challenge. Duo then sends the challenge back to the AP, gets a valid response back, forwards it back to NPS - and then thinks it is recieving another challenge (nothing appears in the NPS log for this second request).

Things then get stuck in a loop for perhaps 5-15 iterations before the NPS server does something different, and the loop ends with a reject. Remember only one entry appears in the NPS server event log for all of this, apparenlty granting access to the user.

Below is a representative section from the Duo auth proxy log. You can see things get stuck in a loop for 10 iterations here.

Anyone got any clue what could be happening here?

Thanks,

Phil

2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 28 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 28): login attempt for username u’’
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 28 to (’’, 1810) with id 69
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 69 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 28): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 28): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 29 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 29): Valid response to challenge issued at id 28
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 29 to (’’, 1810) with id 113
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 113 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 29): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 29): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 30 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 30): Valid response to challenge issued at id 29
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 30 to (’’, 1810) with id 132
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 132 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 30): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 30): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 31 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 31): Valid response to challenge issued at id 30
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 31 to (’’, 1810) with id 220
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 220 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 31): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 31): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 32 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 32): Valid response to challenge issued at id 31
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 32 to (’’, 1810) with id 22
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 22 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 32): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 32): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 33 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 33): Valid response to challenge issued at id 32
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 33 to (’’, 1810) with id 28
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 28 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 33): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 33): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 34 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 34): Valid response to challenge issued at id 33
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 34 to (’’, 1810) with id 58
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 58 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 34): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 34): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 35 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 35): Valid response to challenge issued at id 34
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 35 to (’’, 1810) with id 130
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 130 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 35): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 35): Sending response
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Received new request id 36 from (’’, 32773)
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] ((’’, 32773), 36): Valid response to challenge issued at id 35
2018-09-10T09:50:39+0100 [DuoForwardServer (UDP)] Sending proxied request for id 36 to (’’, 1810) with id 63
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] Got response for id 63 from (’’, 1810); code 11
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 36): Returning response code 11: AccessChallenge
2018-09-10T09:50:39+0100 [RadiusClient (UDP)] ((’’, 32773), 36): Sending response
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Received new request id 37 from (’’, 32773)
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] ((’’, 32773), 37): Valid response to challenge issued at id 36
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Sending proxied request for id 37 to (’’, 1810) with id 201
2018-09-10T09:50:40+0100 [RadiusClient (UDP)] Got response for id 201 from (’’, 1810); code 11
2018-09-10T09:50:40+0100 [RadiusClient (UDP)] ((’’, 32773), 37): Returning response code 11: AccessChallenge
2018-09-10T09:50:40+0100 [RadiusClient (UDP)] ((’’, 32773), 37): Sending response
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Sending request from to radius_server_auto1
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Received new request id 38 from (’’, 32773)
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] ((’’, 32773), 38): Valid response to challenge issued at id 37
2018-09-10T09:50:40+0100 [DuoForwardServer (UDP)] Sending proxied request for id 38 to (’’, 1810) with id 155
2018-09-10T09:50:40+0100 [RadiusClient (UDP)] Got response for id 155 from (’’, 1810); code 2
2018-09-10T09:50:40+0100 [RadiusClient (UDP)] http POST to https://api-.duosecurity.com:443/rest/v1/preauth
2018-09-10T09:50:40+0100 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://api-.duosecurity.com:443/rest/v1/preauth>
2018-09-10T09:50:40+0100 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((’’, 32773), 38): Got preauth result for: u’enroll’
2018-09-10T09:50:40+0100 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((’’, 32773), 38): Returning response code 3: AccessReject
2018-09-10T09:50:40+0100 [HTTPPageGetter (TLSMemoryBIOProtocol),client] ((’’, 32773), 38): Sending response
2018-09-10T09:50:40+0100 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://api-.duosecurity.com:443/rest/v1/preauth>

Labels:
0 Helpful
1 Reply 1

mkorovesisduo
Level 4
Level 4

‎09-10-2018 06:17 AM

Hi Phil, please contact Duo Support for assistance with your issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents