Duo / 2012r2 / Barracuda NG - Radius help needed

billphillips3 · 2017-05-24T14:35:47.000Z

I’m trying to get a Barracuda F300 NG (client-site VPN module) to use Radius authentication to a Duo Authentication Proxy. In the end, the Duo box whould check against our AD and the token code from their app, but I can’t get that far.

The VPN login works fine with AD for its auth. It fails with Radius.

I"m not seeing any authentication attempts on the Duo Authentication log.

Telnet from the F300 times out when trying to connect to the 2012r2 VM on port 1812

The VM has the Duo proxy started, and its firewall has explicit incoming allows for the proxy and for TCP 1812.

I just found and enabled loggiing on the 2012r2 VM that hosts the Duo proxy.

After disabling the firewall, I see allowed UDP traffic from the F300 to the Duo VM from port 12349 to 1812. I changed the firewall rule to allow incoming 1812 UDP.

After that I see TCP traffic from the Duo VM to my domain controllers, from 64050 (incrementing) to 389

I have no replies from the domain controller. Thoughts on why this part of the auth is being blocked?

The Duo box is configured with a service account. That account only has domain user membership - that should be enough to authenticate, shouldn’t it?

jadrien · 2017-05-24T15:24:00.000Z

I’d be looking at the network traffic with something like Wireshark to understand how the protocol conversation is going. From what you describe, you seem to be getting the through the network devices/firewalls to make a connection, but you have no visibility to how the conversation is going or if the protocols involved are failing. My guess is that the DC is not responding because you have only connected and not progressed to the next step of having a conversation. Maybe the set up process is not happening? Maybe the service on the DC isn’t picking up the connection and responding?

billphillips3 · 2017-05-24T18:13:34.000Z

OK - tracked it back to a domain controller. The event log shows an Unknown user name or bad password. The user name of the Duo service account is being passed correctly, but the domain is being passed as “M” instead of MyDomain.

billphillips3 · 2017-05-25T13:45:22.000Z

After many troubleshooting cycles, I have achieved Success!

Now to see if I can do it again on the second firewall.

PSA - be careful about unconsciously translating between windows “-” and unit “_” name formats as you’re working through sample configs.

Since this particular combination has no official vendor documentation, I’ll be writing this up as a how-to for SW and sharing it with Barracuda and Duo.

billphillips3 · 2017-08-15T18:15:56.000Z

In case someone else is trying this, I found a Gotcha that needs to be addressed on the Barracuda client…

As recently as the Barracuda NetworkAccessClient 4.1, there are two small changes required to keep the client from locking a user’s Duo account.

In the / each VPN connection profile, highlight it, click Modify.
Click on the Advanced Settings tab,
then locate the entries for One Time Password and Fast Reconnect.
Set One Time Password to Yes,
and Fast Reconnect to No.