I have an R80.30 environment with the latest hotfix 111. I am attempting to get DUO with Radius authentication working. I have gone through many articles and followed many guides but the firewall doesn't seem to be reading the Radius Attribute correctly. I have attached document with screenshot of all settings.
It clearly shows in output below that user is authenticated the attributes are sent to firewall, however in the document (image 8) it clearly also shows the fw fails to associate user to correct radius group.
FW to DUO Server
11:27:19.014685 IP (tos 0x0, ttl 64, id 29050, offset 0, flags [DF], proto UDP (17), length 91)
192.168.50.1.50289 > 192.168.50.55.1812: [udp sum ok] RADIUS, length: 63
Access-Request (1), id: 0xfc, Authenticator: d13ddb2daa9348b74f4b9e18515ed201
User-Name Attribute (1), length: 13, Value: jconcepcion (user)
0x0000: 6a63 6f6e 6365 7063 696f 6e
User-Password Attribute (2), length: 18, Value:
0x0000: d77c 4ddb c4cb 6a4a 6e8b a1b7 0281 d6ae
Service-Type Attribute (6), length: 6, Value: Login
0x0000: 0000 0001
NAS-IP-Address Attribute (4), length: 6, Value: 192.168.50.1 (fw)
0x0000: c0a8 3201
DUO response to FW
11:27:19.019777 IP (tos 0x0, ttl 128, id 22638, offset 0, flags [DF], proto UDP (17), length 123)
192.168.50.55.1812 > 192.168.50.1.50289: [udp sum ok] RADIUS, length: 95
Access-Accept (2), id: 0xfc, Authenticator: 978072888ab55bad85d2d3ce987d21f1
Vendor-Specific Attribute (26), length: 17, Value: Vendor: Unknown (2620)
Vendor Attribute: 229, Length: 9, Value: DuoVpnGrp (confirmation user group being sent back to fw)
0x0000: 0000 0a3c e50b 4475 6f56 706e 4772 70
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Class Attribute (25), length: 46, Value: m...
0x0000: 6d90 059e 0000 0137 0001 0200 c0a8 3237
0x0010: 0000 0000 0000 0000 0000 0000 01d5 b81a
0x0020: b34d b82f 0000 0000 0000 0002