We have a working Duo Authentication Proxy acting as a RADIUS server for Meraki VPN, which passes authentication to Active Directory. This works, we have MFA, and everything is good. Now we want to add the ability to set a static IP for specific AD users. I’ve done this with Microsoft NPS, relying on the msRADIUSFramedIPAddress attribute, but is there configuration option in the Duo Authentication Proxy to either retrieve that attribute for the AD user being authenticated and pass it back, or instead of authenticating via ad_client perhaps switch to radius_client and authenticate with Microsoft NPS to achieve the end result?
Yes, you could switch to
[radius_client] and point that to NPS, and set one of the RADIUS attribute
pass_through_.. optional config settings described in here.
I did switch to [radius_client] and added pass_through_all=true. In my Microsoft NPS log I can see the IP is being sent back to Duo:
“REDACTED-DC”,“IAS”,11/11/2022,19:05:34,1,“dbrown”,“V1CORP\dbrown”,“CLIENTVPN”,“REDACTED-IP”,1,0,“10.27.1.3”,“Duo-proxy”,1,2,1,“AnyConnect-MX”,0,“311 1 REDACTED-IP 11/11/2022 23:55:43 6”,“IPSec-MX-Duo”,1,
“REDACTED-DC”,“IAS”,11/11/2022,19:05:34,2,“V1CORP\dbrown”,“10.27.11.50”,0,“REDACTED-IP”,“Duo-proxy”,1,2,1,“AnyConnect-MX”,0,“311 1 REDACTED-IP 11/11/2022 23:55:43 6”,“IPSec-MX-Duo”,1,
The 10.27.11.50 is the static IP I set in the NPS Network Policy as a test. If I configure Meraki to use my NPS server as the RADIUS server, I can connect and that IP is assigned to the client. If I put the Duo proxy in between, NPS seems to send that IP back to Duo, but Duo does not seem to relay it to my client. I also see this in the Duo authproxy.log:
2022-11-11T19:05:34.641903-0500 [duoauthproxy.lib.log#info] Invalid single ip: CLIENTVPN.
2022-11-11T19:05:34.641903-0500 [duoauthproxy.lib.log#info] User IP not provided. Authorized Networks policies will not work for this authentication.
I don’t know if that log is relevant to the issue at hand, but it stood out.
Hmm, that excerpt from authproxy.log makes it sound like it’s receiving
CLIENTVPN as the IP value instead of the actual IP.
If you were to run a packet capture at the Duo proxy (like with Wireshark) and decrypt the contents of the RADIUS packet sent from NPS to the Duo Authentication Proxy, what is in the packet? Some attribute has the actual value of