Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
168
Views
0
Helpful
1
Replies

DUO Proxy: Unsupported extended request

ikokics
Level 1
Level 1

‎08-23-2018 06:25 AM

Hello!

I need your help to successfully impliment the DUO Proxy to our Environment.

The problem:

We configured our switches to authenticate with our Active Directory. That works great
And now we want to implement 2FA with DUO Proxy.

We installed DUO Authenticator Proxy to one of our Windows Server
We configured everything, but it still dosn’t seems to work.

Our authproxy.conf looks like this:

	[main]
	debug=true
	test_connectivity_on_startup=true

	[ad_client]
	host=1.2.3.4
	service_account_username=********
	service_account_password=********
	search_dn=OU=XX,OU=YY,DC=AA,DC=BB,DC=CC
	transport=clear

	[ldap_server_auto]
	client=ad_client

	ikey=***************
	skey=***************
	api_host=***************

Output of the authproxy_connectivity_tool:

	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'main' with configuration:
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'debug': 'True', 'test_connectivity_on_startup': 'true'}
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] There are no connectivity problems with the section.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'ad_client' with configuration:
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'debug': 'True',
		 'host': '1.2.3.4',
		 'search_dn': 'OU=XX,OU=YY,DC=AA,DC=BB,DC=CC',
		 'service_account_password': '*****',
		 'service_account_username': '*********',
		 'transport': 'clear'}
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The LDAP Client section has no connectivity issues.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] Testing section 'ldap_server_auto' with configuration:
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] {'■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■',
		 'client': 'ad_client',
		 'debug': 'True',
		 'ikey': '*********',
		 'skey': '*****[40]'}
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#warn] The LDAP Server has connectivity problems.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Auth Proxy was able to ping Duo at ■■■■■■■■■■■■■■■■■■■■■■■■■■■■ with a latency of 1409.80298783 milliseconds.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#error] The time drift between the Auth Proxy host and Duo is excessively high, at 1535026603.51 seconds.  This could interfere with user authorizations.  Ensure the Auth Proxy host's time is correct, for instance by enabling NTP.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Auth Proxy was able to validate the provided API credentials.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] The Connectivity Tool did not run the listen tcp check because the actual Authentication Proxy is using that port. If you need this test to run stop the Auth Proxy and try again.
	2018-08-23T13:16:45+0100 [duoauthproxy.lib.log#info] -----------------------------

And the authproxy.log:

	##################
	##Initialization##
	##################
	2018-08-23T12:52:46+0100 [-] Duo AutoLdapServerFactory starting on 389
	2018-08-23T12:52:46+0100 [duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServer Factory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.■■■■■■■■■■■■■■■■■■■■tory instance at 0x025340D0>
	2018-08-23T12:52:46+0100 [-] Main Configuration:
	2018-08-23T12:52:46+0100 [-] {'debug': 'True', 'test_connectivity_on_startup': 'true'}
	2018-08-23T12:52:46+0100 [-] AD Client Module Configuration:
	2018-08-23T12:52:46+0100 [-] {'debug': 'True',
		 'host': '1.2.3.4',
		 'search_dn': 'OU=XX,OU=YY,DC=AA,DC=BB,DC=CC',
		 'service_account_password': '*****',
		 'service_account_username': '*********',
		 'transport': 'clear'}
	2018-08-23T12:52:46+0100 [-] LDAP Automatic Factor Server Module Configuration:
	2018-08-23T12:52:46+0100 [-] {'■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■',
		 'client': 'ad_client',
		 'debug': 'True',
		 'ikey': '*********',
		 'skey': '*****[40]'}
	2018-08-23T12:52:46+0100 [-] SSL disabled. No server key and certificate configured.
	2018-08-23T12:52:46+0100 [-] Duo Security Authentication Proxy 2.9.0 - Init Complete
	
	#######################################################################################################################################
	##Every time I want to connect to my device with ssh I got an error like this and a "Permission Denied" message on the device itself.##
	#######################################################################################################################################
	2018-08-23T12:53:15+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0252BD90>
	2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S<-C LDAPMessage(id=1L, value=LDAPExtendedRequest(value=[]))
	2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] Unhandled Error
		Traceback (most recent call last):
		  File "twisted\internet\tcp.pyc", line 215, in _dataReceived
		    
		  File "ldaptor\protocols\ldap\ldapserver.pyc", line 52, in dataReceived
		    
		  File "duoauthproxy\modules\ldap_server_auto.pyc", line 127, in handle
		    
		  File "ldaptor\protocols\ldap\ldapserver.pyc", line 131, in handle
		    
		--- <exception caught here> ---
		  File "twisted\internet\defer.pyc", line 150, in maybeDeferred
		    
		  File "duoauthproxy\lib\ldap\proxy.pyc", line 237, in handle_LDAPExtendedRequest
		    
		ldaptor.protocols.ldap.ldaperrors.LDAPProtocolError: protocolError: Unsupported extended request: 1.3.6.1.4.1.1466.20037
		
	2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S->C LDAPMessage(id=1L, value=LDAPExtendedResponse(resultCode=2, errorMessage='Unsupported extended request: 1.3.6.1.4.1.1466.20037'))
	2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] S<-C LDAPMessage(id=2L, value=LDAPUnbindRequest())
	2018-08-23T12:53:15+0100 [DuoAutoLdapServer,0,9.149.19.78] C->S LDAPMessage(id=1, value=LDAPUnbindRequest())
	2018-08-23T12:53:15+0100 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0252BD90>

Please help/advise us how to solve this problem.

Sincerely,
István Kokics

Labels:
0 Helpful
1 Reply 1

mkorovesisduo
Level 4
Level 4

‎08-23-2018 08:45 AM

Hi Istvan, please contact Duo Support for help with your issue.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents