Hello! I'm trying to integrate Duo auth proxy (2.4.19) and Freeradius 3.0.12 on Ubuntu 16.04 to have 2 Factor Authentication on VPN radius requests via Duo security. Active directory intergation done via Samba4 (winbindd). VPN authentication can be SSLVPN or L2TP. Both works - SSL uses pap authentication against the AD, L2TP uses MSCHAPv2 against the AD. SSL sends back only the Filter-Id, L2TP sends Filter-Id and MPPE keys. To have 2 Factor Authentication I created a module for Duo authentication which calls an external script with the user variables and the script writes them to a text file which is the input file for a radclient in the following way: /usr/bin/radclient -f /opt/duoauthproxy/packet -c 1 -r 2 -t 30 -x 127.0.0.1:1645 auth secret -x Radclient connects to the Duo Auth Proxy on the localhost and doing the authentication via Duo services (push/phone/otp code). After the authentication the module returns the Exit code 0 or Exit code 1 (depending on the authentication result). With the SSLVPN it works fine - simply put the Duo authorization before the AD auth in authorize section and works perfectly. With the L2TP it is not working at all. I see the successful authentication (both: Duo and Mschap), MPPE keys and Filter-Id returned, firewall grants the access - and the devices are just not connects. I don't see any errors, and as also the firewall grants the access I have no clue what could this be. Now duo auth happens at post auth section - but it can be anywhere - just not working. Here is the debug: (0) Received Access-Request Id 203 from 10.101.168.3:59819 to 10.148.64.67:1812 length 161 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "Peter Dudas" (0) NAS-IP-Address = 89.212.168.XYZ (0) NAS-Port = 0 (0) MS-CHAP-Challenge = 0x5556c20e9277af608a7ba5335955d181 (0) MS-CHAP2-Response = 0x32006b1c6f8f39c8c7049a9b365ac86156e90000000000000000f7a54abdb5fa7c889557a2729d2234117d36cd4a203ed4ac (0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000cb (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) if (User-Name != ""){ (0) if (User-Name != "") -> TRUE (0) (User-Name != "") { ... } # empty sub-section is ignored (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 10.101.168.3/auth-detail-20170104 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/auth-detail-20170104 (0) auth_log: EXPAND %t (0) auth_log: --> Wed Jan 4 22:35:44 2017 (0) [auth_log] = ok (0) if (User-Name != "" && Service-Type !* "") { (0) if (User-Name != "" && Service-Type !* "") -> FALSE (0) else { (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") { (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") -> TRUE (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") { (0) if (NAS-IP-Address == "89.212.168.XZY" && Framed-Protocol == "PPP") { (0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") -> TRUE (0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") { (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) { (0) EXPAND Packet-Type (0) --> Access-Request (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) -> TRUE (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) { (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) { (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) -> TRUE (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) { (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) if (ok) { (0) if (ok) -> TRUE (0) if (ok) { (0) update reply { (0) Filter-Id := "L2TP-Users" (0) } # update reply = noop (0) } # if (ok) = noop (0) } # if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) = ok (0) } # if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) = ok (0) } # if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") = ok (0) } # if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") = ok (0) } # else = ok (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type mschap { (0) mschap: Creating challenge hash with username: Peter Dudas (0) mschap: Client is using MS-CHAPv2 (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{request:User-Name} --domain=site.domain.local --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=site.domain.local\l2tp-users: (0) mschap: EXPAND --username=%{request:User-Name} (0) mschap: --> --username=Peter Dudas (0) mschap: Creating challenge hash with username: Peter Dudas (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=397e282f44bc0581 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=f7a54abdb5fa7c889557a2729d2234117d36cd4a203ed4ac (0) mschap: Program returned code (0) and output 'NT_KEY: A1A055BBCC2133B2E1FCD8213C6B03FE' (0) mschap: Adding MS-CHAPv2 MPPE keys (0) [mschap] = ok (0) } # Auth-Type mschap = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) post-auth { (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/ 10.101.168.3/reply-detail-20170104 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104 (0) reply_log: EXPAND %t (0) reply_log: --> Wed Jan 4 22:35:44 2017 (0) [reply_log] = ok (0) duo: Executing: /usr/bin/radclient -f /etc/freeradius/packet -c 1 -r 1 -t 45 127.0.0.1:1645 auth secret -x: (0) duo: Program returned code (0) and output 'Sent Access-Request Id 49 from 0.0.0.0:52464 to 127.0.0.1:1645 length 75 Packet-Type = Access-Request Service-Type = Framed-User Framed-Protocol = PPP User-Name = "Peter Dudas" User-Password = "push" NAS-IP-Address = 89.212.168.XYZ NAS-Port = 0 Cleartext-Password = "push" Received Access-Accept Id 49 from 127.0.0.1:1645 to 0.0.0.0:0 length 48 Reply-Message = "Success. Logging you in..."' (0) duo: Program executed successfully (0) [duo] = ok (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/ 10.101.168.3/reply-detail-20170104 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104 (0) reply_log: EXPAND %t (0) reply_log: --> Wed Jan 4 22:35:44 2017 (0) [reply_log] = ok (0) [exec] = noop (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/ 10.101.168.3/reply-detail-20170104 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170104 (0) reply_log: EXPAND %t (0) reply_log: --> Wed Jan 4 22:35:44 2017 (0) [reply_log] = ok (0) } # post-auth = ok (0) Login OK: [Peter Dudas/<via Auth-Type = mschap>] (from client dc1 port 0) (0) Sent Access-Accept Id 203 from 10.148.64.67:1812 to 10.101.168.3:59819 length 0 (0) Filter-Id := "L2TP-Users" (0) MS-CHAP2-Success = 0x32533d34413036444345313735434538323544364344333939363634303638424345343738453634383132 (0) MS-MPPE-Recv-Key = 0x8e2b496673e4be264ff378973bfc4f0a (0) MS-MPPE-Send-Key = 0x3d999c39dd3234adb646ff83015329da (0) MS-MPPE-Encryption-Policy = Encryption-Required (0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000cb (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 203 with timestamp +18 I've tried to run the duo auth ant the Authorize, post auth sections - no matter where it is, the connection is not successful. Do you maybe know what change with this second authentication which blocks the L2TP VPN connection? If I comment out the DUO - then L2TP VPN connects without problem. I don't find any difference in the Reply packets (chacked with Wireshark too). Thank you! Peter Dudas