Unifi USG L2TP VPN with DUO 2FA setup - Need help

Protecting Applications
#1

I am struggling on setting up DUO 2FA on the L2TP VPN with DUO proxy on Windows server. The settings between Unifi and Windows DUO proxy is pretty straight forward. I have experience in setting DUO using Cisco ASA <> Windows but I was unable to make it happen on Unifi. Anyone has experience on this? I’ve seen this post: https://community.ui.com/questions/Duo-Security-Proxy-for-Windows-works-on-Unifi-a-few-notes/ceb6c9bb-73f4-4a38-83f3-c604323bfdbd

and somehow I got error every time when I connecting to VPN.

The error in the DUO authproxy.log:

2020-05-23 16_26_16
2020-05-23 16_26_161238×50 5.13 KB

2020-05-23 16_26_16
2020-05-23 16_26_161238×50 5.13 KB

Any help would be appreciated. Thanks

#2

I too experienced the same error, but have partial workaround. I have yet to resolve completely, but my theory is how the USG is formatting the RADIUS packet across to the Duo Authentication Proxy (DAP). The authentication string is not being recognized by DAP. I tried with MS-CHAPv2 on and off, I tried with allow_concat=false, and pass_through_all=true, without any change in behavior.

I do have a partial workaround, but must use the USG RADIUS server for the first authentication factor. Good news - I get MFA; Bad news - I can’t use LDAP authentication (yet… , but going to keep trying).

Here is a snippet from my authproxy.cfg file:
[radius_client1]
; IP address of my USG
host=172.31.0.1
; RADIUS Secret from Unifi Controller in section Gateway > RADIUS > SERVER > Secret. This allows DAP to connect to RADIUS on the USG.
secret_protected=

image
image995×229 8.93 KB

[radius_server_auto3]
client=radius_client1
; Duo.com Application ‘Type: RADIUS’
ikey=*
skey_protected=*
api_host=*
; IP address of Unifi USG interface. This allows the L2TP requests to come from this IP address.
radius_ip_2=172.31.0.1
; RADIUS Secret from Unifi Controller in section Configuration Profiles > RADIUS > Create New RADIUS Profile. This allows the L2TP VPN request to be sent to the DAP server.
radius_secret_protected_2=
factors=auto
failmode=secure
;Need to set a unique port from my other sections. This must match the RADIUS Server profile in screenshot below.
port=1816

image
image985×267 4.91 KB

This RADIUS Server, is then bound to the L2TP User VPN configuration on the Unifi Controller under VPN > VPN Servers > Type L2TP.

image
image703×211 3.53 KB

Here is what happens:

  1. I establish L2TP VPN to USG providing credentials within USG RADIUS Server.
  2. USG gets the connection request, forwards RADIUS authentication to the DAP.
  3. The DAP receives the authentication, then forwards primary authentication back to the USG RADIUS server.
  4. Primary authentication passes, and the DAP proceeds with Duo secondary authentication using push, SMS, etc.
  5. Connection established!

It works only because the DAP doesn’t need to interpret the RADIUS authentication string from the USG, instead it simply passes it through back to the USG RADIUS server.

It isn’t exactly what we are looking for, but it does allow Duo MFA with my Unifi USG.