2 Factor Authentication

Alan DeKok aland at deployingradius.com
Wed Jan 4 23:30:40 CET 2017

On Jan 4, 2017, at 4:50 PM, Dudás Péter <peter.pdudas at gmail.com> wrote:
> I'm trying to integrate Duo auth proxy (2.4.19) and Freeradius 3.0.12 on
> Ubuntu 16.04 to have 2 Factor Authentication on VPN radius requests via Duo
> security.

  What's "duo auth" ?

> Active directory intergation done via  Samba4 (winbindd).
> VPN authentication can be SSLVPN or L2TP. Both works - SSL uses pap
> authentication against the AD, L2TP uses MSCHAPv2 against the AD.
> SSL sends back only the Filter-Id, L2TP sends Filter-Id and MPPE keys.
> To have 2 Factor Authentication I created a module for Duo authentication
> which calls an external script with the user variables and the script
> writes them to a text file which is the input file for a radclient in the
> following way:
> /usr/bin/radclient -f /opt/duoauthproxy/packet -c 1 -r 2 -t 30 -x
> auth secret -x

  That works only for PAP.  And why run "radclient" manually?  The server can proxy RADIUS packets.  Why not do that?

> Radclient connects to the Duo Auth Proxy on the localhost and doing the
> authentication via Duo services (push/phone/otp code).
> After the authentication the module returns the Exit code 0 or Exit code 1
> (depending on the authentication result).

  Proxying RADIUS packets would be a lot easier.

> With the SSLVPN it works fine - simply put the Duo authorization before the
> AD auth in authorize section and works perfectly.
> With the L2TP it is not working at all. I see the successful authentication
> (both: Duo and Mschap), MPPE keys and Filter-Id returned, firewall grants
> the access - and the devices are just not connects.

  Blame the L2TP gateway then.  If the attributes returned by FreeRADIUS are the same for both Duo and non-duo cases, then the NAS should behave the same in both situations.

> I don't see any errors, and as also the firewall grants the access I have
> no clue what could this be.

  Look at the firewall logs to see what it's doing.  You can't debug the firewall by looking at the FreeRADIUS logs.

> I've tried to run the duo auth ant the Authorize, post auth sections - no
> matter where it is, the connection is not successful.

  You're looking at the wrong thing.

  Look at the debug log and Access-Accept packets for both the "with duo" and "without duo" cases.  If the Access-Accepts are the same, then the firewall should behave the same in both situations.

> Do you maybe know what change with this second authentication which blocks
> the L2TP VPN connection?

  Since you've only given a non-working debug output and not a working one... no, we don't know what's going on.

> If I comment out the DUO - then L2TP VPN connects without problem.
> I don't find any difference in the Reply packets (chacked with Wireshark
> too).

  Then blame the firewall.

  Alan DeKok.

More information about the Freeradius-Users mailing list