08-23-2018 06:25 AM
Hello!
I need your help to successfully impliment the DUO Proxy to our Environment.
The problem:
We configured our switches to authenticate with our Active Directory. That works great
And now we want to implement 2FA with DUO Proxy.
We installed DUO Authenticator Proxy to one of our Windows Server
We configured everything, but it still dosn’t seems to work.
Our authproxy.conf
looks like this:
[main]
debug=true
test_connectivity_on_startup=true
[ad_client]
host=1.2.3.4
service_account_username=********
service_account_password=********
search_dn=OU=XX,OU=YY,DC=AA,DC=BB,DC=CC
transport=clear
[ldap_server_auto]
client=ad_client
ikey=***************
skey=***************
api_host=***************
Output of the authproxy_connectivity_tool
:
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'main' with configuration:
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'debug': 'True', 'test_connectivity_on_startup': 'true'}
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] There are no connectivity problems with the section.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'ad_client' with configuration:
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'debug': 'True',
'host': '1.2.3.4',
'search_dn': 'OU=XX,OU=YY,DC=AA,DC=BB,DC=CC',
'service_account_password': '*****',
'service_account_username': '*********',
'transport': 'clear'}
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The LDAP Client section has no connectivity issues.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'ldap_server_auto' with configuration:
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■',
'client': 'ad_client',
'debug': 'True',
'ikey': '*********',
'skey': '*****[40]'}
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#warn] The LDAP Server has connectivity problems.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Auth Proxy was able to ping Duo at ■■■■■■■■■■■■■■■■■■■■■■■■■■■■ with a latency of 1409.80298783 milliseconds.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#error] The time drift between the Auth Proxy host and Duo is excessively high, at 1535026603.51 seconds. This could interfere with user authorizations. Ensure the Auth Proxy host's time is correct, for instance by enabling NTP.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Auth Proxy was able to validate the provided API credentials.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Connectivity Tool did not run the listen tcp check because the actual Authentication Proxy is using that port. If you need this test to run stop the Auth Proxy and try again.
2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------
And the authproxy.log
:
##################
##Initialization##
##################
2018-08-23T12:52:46+0100 [-] Duo AutoLdapServerFactory starting on 389
2018-08-23T12:52:46+0100 [duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServer Factory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.■■■■■■■■■■■■■■■■■■■■tory instance at 0x025340D0>
2018-08-23T12:52:46+0100 [-] Main Configuration:
2018-08-23T12:52:46+0100 [-] {'debug': 'True', 'test_connectivity_on_startup': 'true'}
2018-08-23T12:52:46+0100 [-] AD Client Module Configuration:
2018-08-23T12:52:46+0100 [-] {'debug': 'True',
'host': '1.2.3.4',
'search_dn': 'OU=XX,OU=YY,DC=AA,DC=BB,DC=CC',
'service_account_password': '*****',
'service_account_username': '*********',
'transport': 'clear'}
2018-08-23T12:52:46+0100 [-] LDAP Automatic Factor Server Module Configuration:
2018-08-23T12:52:46+0100 [-] {'■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■',
'client': 'ad_client',
'debug': 'True',
'ikey': '*********',
'skey': '*****[40]'}
2018-08-23T12:52:46+0100 [-] SSL disabled. No server key and certificate configured.
2018-08-23T12:52:46+0100 [-] Duo Security Authentication Proxy 2.9.0 - Init Complete
#######################################################################################################################################
##Every time I want to connect to my device with ssh I got an error like this and a "Permission Denied" message on the device itself.##
#######################################################################################################################################
2018-08-23T12:53:15+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0252BD90>
2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S<-C LDAPMessage(id=1L, value=LDAPExtendedRequest(value=[]))
2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] Unhandled Error
Traceback (most recent call last):
File "twisted\internet\tcp.pyc", line 215, in _dataReceived
File "ldaptor\protocols\ldap\ldapserver.pyc", line 52, in dataReceived
File "duoauthproxy\modules\ldap_server_auto.pyc", line 127, in handle
File "ldaptor\protocols\ldap\ldapserver.pyc", line 131, in handle
--- <exception caught here> ---
File "twisted\internet\defer.pyc", line 150, in maybeDeferred
File "duoauthproxy\lib\ldap\proxy.pyc", line 237, in handle_LDAPExtendedRequest
ldaptor.protocols.ldap.ldaperrors.LDAPProtocolError: protocolError: Unsupported extended request: 1.3.6.1.4.1.1466.20037
2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S->C LDAPMessage(id=1L, value=LDAPExtendedResponse(resultCode=2, errorMessage='Unsupported extended request: 1.3.6.1.4.1.1466.20037'))
2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S<-C LDAPMessage(id=2L, value=LDAPUnbindRequest())
2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] C->S LDAPMessage(id=1, value=LDAPUnbindRequest())
2018-08-23T12:53:15+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0252BD90>
Please help/advise us how to solve this problem.
Sincerely,
István Kokics
08-23-2018 08:45 AM
Hi Istvan, please contact Duo Support for help with your issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide