Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
155
Views
0
Helpful
3
Replies

Authentication Proxy Radius not working

robertomcstabby
Level 1
Level 1

‎04-12-2024 12:26 AM - edited ‎04-12-2024 01:32 AM

Hi there

I've done everything as described here -> https://duo.com/docs/paloalto

But whenever I try this on my linux server -> sudo /opt/duoauthproxy/bin/authproxy_connectivity_tool

I see this -> 

-----------------------------
[info] SUMMARY
[info]
[info] Section [radius_client]
[warn] We cannot confirm that the Auth Proxy was able to establish a RADIUS connection to 1.1.1.1:1812. In the case of an actual failure this may be due to a misconfigured secret or network issues. This may also happen if the upstream RADIUS Server does not support the Status-Server message
[info]

1.1.1.1 being it's own IP of course being obfuscated.

I thought at first maybe the radius server that comes with the authentication proxy is busted, but whenever I try to setup a new one it even says that the port 1812 is already in use.

The logs don't really show anything more than the output I've pasted here, anyone got an idea?

How can I even start/config/stop that radius?

EDIT: Also a tcpdump on both the palo and the auth proxy don't show any port 1812 traffic whatsoever, which is weird I guess?


Regards
Roberto 

Labels:
0 Helpful
3 Replies 3

Pulkit Mittal
Level 1
Level 1

‎04-12-2024 04:21 AM

If NPS is listening for incoming requests on port 1812, then the Duo proxy must use a different port. To configure the Duo Authentication Proxy to work with the application when the Authentication Proxy is colocated with the NPS, create a [radius_server_auto] section in the Proxy configuration file.

Even if you are unable to find where 1812 is used, just use a different port in the config as mentioned in below example.

An example configuration file that uses RADIUS could look like this:
[radius_client]
host=192.168.4.19
secret=password
pass_through_all=true

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
radius_ip_1=192.168.X.XX
radius_secret_1=password
client=radius_client
port=18120
failmode=safe
pass_through_all=true

In the [radius_server_auto] section, note that the port value is set to 18120 to account for the Authentication Proxy and the NPS being installed on the same server.

You can find the kb article here.

If you find this useful, please mark it helpful and accept the solution.

0 Helpful

robertomcstabby
Level 1
Level 1

‎04-13-2024 02:26 AM - edited ‎04-13-2024 03:54 AM

Hi there

Thanks for the answer, I've did as you suggested, but sadly it's still not working. Nor do I see any traffic for the Port 1812 or the new port I chose.

EDIT: But I think what's missing here is the actual Radius config of that said radius server that should come with the auth proxy, where would I config that?

 

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎04-15-2024 07:25 AM

Hi @robertomcstabby ! Sorry you're having issues.

The Duo Authentication Proxy is intended to sit in-between the authenticating device (Palo Alto?) and your primary authentication server.

Before: Palo Alto ----> An LDAP/AD or RADIUS server

After: Palo Alto ------> Duo Authentication Proxy ------> An LDAP/AD or RADIUS server

What was your Palo Alto pointing to before for primary authentication? Whatever that was, you need to add a radius_client or ad_client section to your authproxy.cfg which points to the primary authentication source. You then configure the Palo Alto to point to the Authentication Proxy so that it sends authentication requests there.

Then when you log into the Palo Alto GP profile, the PA device forwards the request to your Duo proxy, which in turn forwards the username and password to the primary authentication source AD/LDAP or RADIUS, and then after that succeeds it contacts Duo for 2FA before returning success/allow back to the PA device.

Configuring the radius_client or ad_client part of the config is addressed by the steps in the "Configure the Proxy for Your Primary Authenticator" section of https://duo.com/docs/paloalto. When you say "the actual Radius config of that said radius server that should come with the auth proxy" I think you mean "configure how the Duo proxy listens for RADIUS requests from the Palo Alto", which is addressed in the steps in the "Configure the Proxy for Your Palo Alto GlobalProtect" section of that page.

Regarding the output from the connectivity tool: some RADIUS server types just flat-out don't support the Status-Server message. Like, Microsoft NPS doesn't, so when radius_client points to an NPS server that test always fails. If you do know that your upstream RADIUS server does support the Status-Server message though (I think FreeRADIUS does), it does indicate some connectivity problem.

"Also a tcpdump on both the palo and the auth proxy don't show any port 1812 traffic whatsoever" I'm assuming you take this capture WHILE you are attempting to log in at the Palo Alto device?

  • If you see no outbound packet go from the Palo Alto to the Duo Authentication Proxy when you try to log in then there is something wrong with the config on your Palo device.
  • If you see an outbound packet leave the Palo but it isn't received at the Duo proxy server, then you may have a networking or firewall issue between the two.
  • If you see an outbound packet leave the Palo and it's received at the Duo proxy server, but there is no record of the incoming access request in the authproxy.log, then it could be the port issue you mentioned (that some other service is already using the port that you are trying to have the Duo Authentication Proxy use for inbound auth).

If you installed the Duo Authentication Proxy on the same server that is your primary RADIUS server (like, you installed it on a FreeRADIUS server), then your existing RADIUS server has likely already claimed port 1812 for its use and that is why the Duo Authentication Proxy would say it can't use 1812. That is the scenario where you would change the port used by the radius_server_nnn section to something else, like 18120, so that the Duo proxy listens for incoming RADIUS requests on a port other than 1812, and then can forward the primary authentication requests to the RADIUS server that is already listening on port 1812. You also need to update the Palo config to send the outbound RADIUS request on port 18120 instead of port 1812.

So, end-to-end if you have the Duo Authentication Proxy installed on the same server that is your primary RADIUS server and the primary RADIUS server listens on port 1812, the communication between all three can wind up being:

Palo Alto  ---[RADIUS port 18120]---> Duo Authentication Proxy ---[RADIUS port 1812]---> RADIUS server on localhost

Hope that helps!

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents