10-02-2018 04:49 PM
All,
I have a new install on Ubuntu 18.04, version 2.10.1. Authentication works with primary auth to RADIUS server, including passing A/V pairs back to NAS. RADIUS server sees NAS IP of Ubuntu server, even with conf file using nas_ip=x.x.x.x. I built the conf file without this value originally for testing and then added it to test NAS identification on the RADIUS Server. Service and server have been restarted.
Snip from conf file:
[radius_client]
host=10.0.0.100
secret=**********
pass_through_all=true
nas_ip=192.168.2.4
retry_wait=4
Snip from log file when service starts, which appears to show it parsing correctly:
2018-10-02T23:42:11+0000 [-] RADIUS Client Module Configuration:
2018-10-02T23:42:11+0000 [-] {'debug': 'True',
'host': '10.0.0.100',
'nas_ip': '192.168.2.4',
'pass_through_all': 'true',
'retry_wait': '9',
'secret': '*****'}
From my AAA server (Cisco ISE) authentication log:
NAS IPv4 Address 10.0.0.206
Any thoughts? Am I missing something?
Thanks,
Mark
10-05-2018 09:51 AM
Are you trying to preserve the nas ip passed in from the radius client request to the Duo authentication proxy? If so, be sure to set the pass through option in your [radius_server_auto]
section as well.
10-05-2018 02:45 PM
Thank you. That helped. I had pass_through_all on the RADIUS Client side for AV pairs being sent back in response, so those all worked. I did not have it in the RADIUS Automatic portion of the config for the request. Enabling this option and setting “true” started passing through attributes.
Unfortunately, based on a packet capture, my RADIUS server does not appear to be parsing attribute 4 (NAS-IP-ADDRESS) properly and is falling back to identify the NAS as the IP of the Duo Proxy. That means some digging on my side.
Thanks for the time.
Mark
08-01-2019 07:57 AM
Did you ever find a solution?
08-04-2019 12:05 PM
I asked for a feature request to allow forwarding of the NAS IP. I believe, at this time, the Proxy always rewrites the source NAS IP. You can key on other attributes or consider looping through for authentication, such as VPN to ISE to Duo back to ISE to AD. In that case, looping back let’s you use AD through ISE instead of from the Duo Auth proxy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide