On Jan 4, 2017, at 4:50 PM, Dudás Péter <peter.pdudas@gmail.com> wrote:
I'm trying to integrate Duo auth proxy (2.4.19) and Freeradius 3.0.12 on Ubuntu 16.04 to have 2 Factor Authentication on VPN radius requests via Duo security.
What's "duo auth" ?
Active directory intergation done via Samba4 (winbindd).
VPN authentication can be SSLVPN or L2TP. Both works - SSL uses pap authentication against the AD, L2TP uses MSCHAPv2 against the AD. SSL sends back only the Filter-Id, L2TP sends Filter-Id and MPPE keys.
To have 2 Factor Authentication I created a module for Duo authentication which calls an external script with the user variables and the script writes them to a text file which is the input file for a radclient in the following way: /usr/bin/radclient -f /opt/duoauthproxy/packet -c 1 -r 2 -t 30 -x 127.0.0.1:1645 auth secret -x
That works only for PAP. And why run "radclient" manually? The server can proxy RADIUS packets. Why not do that?
Radclient connects to the Duo Auth Proxy on the localhost and doing the authentication via Duo services (push/phone/otp code). After the authentication the module returns the Exit code 0 or Exit code 1 (depending on the authentication result).
Proxying RADIUS packets would be a lot easier.
With the SSLVPN it works fine - simply put the Duo authorization before the AD auth in authorize section and works perfectly. With the L2TP it is not working at all. I see the successful authentication (both: Duo and Mschap), MPPE keys and Filter-Id returned, firewall grants the access - and the devices are just not connects.
Blame the L2TP gateway then. If the attributes returned by FreeRADIUS are the same for both Duo and non-duo cases, then the NAS should behave the same in both situations.
I don't see any errors, and as also the firewall grants the access I have no clue what could this be.
Look at the firewall logs to see what it's doing. You can't debug the firewall by looking at the FreeRADIUS logs.
I've tried to run the duo auth ant the Authorize, post auth sections - no matter where it is, the connection is not successful.
You're looking at the wrong thing. Look at the debug log and Access-Accept packets for both the "with duo" and "without duo" cases. If the Access-Accepts are the same, then the firewall should behave the same in both situations.
Do you maybe know what change with this second authentication which blocks the L2TP VPN connection?
Since you've only given a non-working debug output and not a working one... no, we don't know what's going on.
If I comment out the DUO - then L2TP VPN connects without problem.
I don't find any difference in the Reply packets (chacked with Wireshark too).
Then blame the firewall. Alan DeKok.