- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- DUO MFA with Radius Authentication for VPN Access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DUO MFA with Radius Authentication for VPN Access
I have an R80.30 environment with the latest hotfix 111. I am attempting to get DUO with Radius authentication working. I have gone through many articles and followed many guides but the firewall doesn't seem to be reading the Radius Attribute correctly. I have attached document with screenshot of all settings.
It clearly shows in output below that user is authenticated the attributes are sent to firewall, however in the document (image 😎 it clearly also shows the fw fails to associate user to correct radius group.
FW to DUO Server
11:27:19.014685 IP (tos 0x0, ttl 64, id 29050, offset 0, flags [DF], proto UDP (17), length 91)
192.168.50.1.50289 > 192.168.50.55.1812: [udp sum ok] RADIUS, length: 63
Access-Request (1), id: 0xfc, Authenticator: d13ddb2daa9348b74f4b9e18515ed201
User-Name Attribute (1), length: 13, Value: jconcepcion (user)
0x0000: 6a63 6f6e 6365 7063 696f 6e
User-Password Attribute (2), length: 18, Value:
0x0000: d77c 4ddb c4cb 6a4a 6e8b a1b7 0281 d6ae
Service-Type Attribute (6), length: 6, Value: Login
0x0000: 0000 0001
NAS-IP-Address Attribute (4), length: 6, Value: 192.168.50.1 (fw)
0x0000: c0a8 3201
DUO response to FW
11:27:19.019777 IP (tos 0x0, ttl 128, id 22638, offset 0, flags [DF], proto UDP (17), length 123)
192.168.50.55.1812 > 192.168.50.1.50289: [udp sum ok] RADIUS, length: 95
Access-Accept (2), id: 0xfc, Authenticator: 978072888ab55bad85d2d3ce987d21f1
Vendor-Specific Attribute (26), length: 17, Value: Vendor: Unknown (2620)
Vendor Attribute: 229, Length: 9, Value: DuoVpnGrp (confirmation user group being sent back to fw)
0x0000: 0000 0a3c e50b 4475 6f56 706e 4772 70
Framed-Protocol Attribute (7), length: 6, Value: PPP
0x0000: 0000 0001
Service-Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Class Attribute (25), length: 46, Value: m...
0x0000: 6d90 059e 0000 0137 0001 0200 c0a8 3237
0x0010: 0000 0000 0000 0000 0000 0000 01d5 b81a
0x0020: b34d b82f 0000 0000 0000 0002
- Tags:
- Client VPN
- mfa
- vpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any solution for this?
Regards
Olle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had an LDAP Account unit defined and the duo proxy software was installed on the same server. Had to go in and do dbedit modification so that it wasn't doing ldap lookups for remote users - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
--Juan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit: Thanks for sharing your fix - good to know!
Did you set the following in GuiDBEdit:
Global Properties > Properties > firewall_properties -> add_radius_groups = true
Global Properties > Properties > firewall_properties -> radius_groups_atttr = 26
Cheers,
Ruan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that was also done. Believe the issue was that it was using LDAP at one point for authentication - it was then migrated to duo and installed the duo proxy software on the same ldap server and why i had to do the dbedit modification.
--Juan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the Duo proxy config, Radius (radius_ip_1) address to Checkpoint, is it to management server or gateway. Internal or external address? I don’t need to make a accept rule duo-proxy—>fw, fw—>duo-proxy?
I will use Duo for Endpoint vpn.
Thanks again
Olle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the "client" ip you should be putting in the cluster vip ip on the interface that you route to get to the duo auth proxy. You can find this out by running the command 'ip route get <do_auth_proxy_ip>' on the gateway. This command will tell you which interface it routes to the proxy with, once you have this information you then use the cluster vip on that interface since all traffic originating from cluster members get's hidden behind the cluster vip. You do not need any policy rules since the traffic is originating from gateways it's accepted by implied rules.
Hope this helps.