Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Juan_Concepcion
Advisor

DUO MFA with Radius Authentication for VPN Access

I have an R80.30 environment with the latest hotfix 111.  I am attempting to get DUO with Radius authentication working.  I have gone through many articles and followed many guides but the firewall doesn't seem to be reading the Radius Attribute correctly. I have attached document with screenshot of all settings.

It clearly shows in output below that user is authenticated the attributes are sent to firewall, however in the document (image 😎  it clearly also shows the fw fails to associate user to correct radius group.

 

FW to DUO Server

11:27:19.014685 IP (tos 0x0, ttl 64, id 29050, offset 0, flags [DF], proto UDP (17), length 91)
192.168.50.1.50289 > 192.168.50.55.1812: [udp sum ok] RADIUS, length: 63
Access-Request (1), id: 0xfc, Authenticator: d13ddb2daa9348b74f4b9e18515ed201
User-Name Attribute (1), length: 13, Value: jconcepcion (user)
0x0000: 6a63 6f6e 6365 7063 696f 6e
User-Password Attribute (2), length: 18, Value:
0x0000: d77c 4ddb c4cb 6a4a 6e8b a1b7 0281 d6ae
Service-Type Attribute (6), length: 6, Value: Login
0x0000: 0000 0001
NAS-IP-Address Attribute (4), length: 6, Value: 192.168.50.1 (fw)
0x0000: c0a8 3201

DUO response to FW

11:27:19.019777 IP (tos 0x0, ttl 128, id 22638, offset 0, flags [DF], proto UDP (17), length 123)
192.168.50.55.1812 > 192.168.50.1.50289: [udp sum ok] RADIUS, length: 95
Access-Accept (2), id: 0xfc, Authenticator: 978072888ab55bad85d2d3ce987d21f1
Vendor-Specific Attribute (26), length: 17, Value: Vendor: Unknown (2620)
Vendor Attribute: 229, Length: 9, Value: DuoVpnGrp (confirmation user group being sent back to fw)
0x0000: 0000 0a3c e50b 4475 6f56 706e 4772 70
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Class Attribute (25), length: 46, Value: m...
0x0000: 6d90 059e 0000 0137 0001 0200 c0a8 3237
0x0010: 0000 0000 0000 0000 0000 0000 01d5 b81a
0x0020: b34d b82f 0000 0000 0000 0002

 

 

 

0 Kudos
7 Replies
Olle
Participant

Hi
Any solution for this?

Regards
Olle
0 Kudos
Juan_Concepcion
Advisor

I had an LDAP Account unit defined and the duo proxy software was installed on the same server.  Had to go in and do dbedit modification so that it wasn't doing ldap lookups for remote users - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

--Juan

0 Kudos
Ruan_Kotze
Advisor

Edit: Thanks for sharing your fix - good to know!

Did you set the following in GuiDBEdit:

Global Properties > Properties > firewall_properties -> add_radius_groups = true

Global Properties > Properties > firewall_properties -> radius_groups_atttr = 26

Cheers,
Ruan

0 Kudos
Juan_Concepcion
Advisor

Yes that was also done.  Believe the issue was that it was using LDAP at one point for authentication - it was then migrated to duo and installed the duo proxy software on the same ldap server and why i had to do the dbedit modification.

 

--Juan

0 Kudos
Olle
Participant

Thanks for helping me out 👍🏻
In the Duo proxy config, Radius (radius_ip_1) address to Checkpoint, is it to management server or gateway. Internal or external address? I don’t need to make a accept rule duo-proxy—>fw, fw—>duo-proxy?
I will use Duo for Endpoint vpn.
Thanks again
Olle
0 Kudos
RS_Daniel
Advisor

Hello Olle, in my case, I configured the ip addres of gateway, it was a cluster and needed to add two radius ip in proxy auth file, one for each cluster member ip and each one with its own radius_secret, you should use the ip directly connect to the proxy. I think radius is accepted by an implied rule but you can test. HTH.
0 Kudos
Juan_Concepcion
Advisor

For the "client" ip you should be putting in the cluster vip ip on the interface that you route to get to the duo auth proxy.  You can find this out by running the command 'ip route get <do_auth_proxy_ip>' on the gateway. This command will tell you which interface it routes to the proxy with, once you have this information you then use the cluster vip on that interface since all traffic originating from cluster members get's hidden behind the cluster vip.  You do not need any policy rules since the traffic is originating from gateways it's accepted by implied rules.

 

Hope this helps.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events