Strongswan/eap & duoauthproxy & openladp interop?

R3gisF1 · ‎05-15-2017

Hi all,

I’m trying to use duoauthproxy to manage IPSEC/IKEv2 vpns, with no chance so far. I would need some help…

My IPsec gateway is strongswan on debian based OS with the eap-radius plugin enabled.

Coud you please tell me if duoauthproxy supports radius AVP stored in EAP (message 79)?
So far, I get no answer to the radius access requests sent by strongswan.
UPDATE : a test with radtest is ok - but the eap-radius plugin of strongswan does not seem to be compatible with duoauthproxy : the radius access-reject reply-message is “Impropely-formatted password”, I guess the authproxy does not decode correctly the access-request. Still working on it.

My primary authenticator is a openldap server:

Is this a working software in this case or am I forced to setup an MS Active Directory instead?
Any specific options I should configure, in the ad_client section of the configuration file I assume?
UPDATE : This point is solved by adding the lines 'username_attribute = cn", “auth_type = plain” & bind_dn…" in the ad_client section.

thank you in advance for you support,

Régis

DuoKristina · ‎05-17-2017

What RADIUS server type configuration did you use in your authproxy.cfg file? There’s a radius_server_eap option, which is documented here, but it does not support all EAP methods (only PEAP-GTC). If you haven’t tried that yet, please do and report back here, or contact Duo Support for more extensive troubleshooting steps.

Thanks for trying Duo!

Duo, not DUO.

R3gisF1 · ‎05-17-2017

From the beginning I’ve been using the “radius_server_auto” option : yesterday night, I first tried to setup a freeradius between my strongswan & the duauthproxy to strip out the eap part (supposed to work with Windows client when using peap/mschapv2). The result is still unsuccesfull but I now get an access reject from duoauthproxy with another message “No password” - MS chap error = \000E=691 R=0 V=3.

Then I removed the freeradius from the network configuration, activated the “radius_server_eap” option with the certificate & key and run a new test. Unfortunatly, peap/gtc is not supported on my ipsec clients (Microsoft W10 in native mode, Android or iOS ). Any chance to get peap/mschapv2 support implemented in duoauthproxy?

BR

DuoKristina · ‎05-22-2017

If you contact Duo Support they can add you to the feature request for supporting additional EAP methods on the Authentication Proxy.

The Authentication Proxy supports MS-CHAPv2 authentication ONLY when the upstream authentication server is a RADIUS server (so, radius_client instead of ad_client). Is that an option for you?

Duo, not DUO.

R3gisF1 · ‎05-23-2017

hi,

good news : radius_client is a working solution for mschapv2. Maybe I’ll get back to DUO to add other eap methods support in the future.

I plan to make a demo using duo beginning of June – would it possible to extend my trial period a little bit (till June 9 –my account is 2761-8167-42?)

thanks a lot,

Régis

DuoKristina · ‎05-23-2017

I’m glad that worked for you!

One of our EU reps will get in touch with you about extending your Duo Access trial through your planned demonstration date.

Thanks again for trying Duo.

Duo, not DUO.