Duo Login failing before push notification can be completed

[Josh]

Hi,

I'm having issues with authenticating against a Duo Authentication Proxy. When I go to log in, it gives me "Permission denied" almost immediately, followed by "Password incorrect." and "Access denied." I can see the RADIUS packet passing to the Duo server and back with the correct RADIUS attribute for matching to the group membership.

I can sign in with the non-RADIUS user successfully, and the mavistest works fine also. I've set the line vty timeout login response to 60 on the switch also.

Config below:

#!/usr/local/sbin/tac_plus

id = spawnd {

    listen = { address = 0.0.0.0 port = 49 }

    spawn = {

            instances min = 1

            instances max = 10

    }

    background = yes

 }

id = tac_plus {

    retire timeout = 3600

    access log = /var/log/tac_plus/access.txt

    accounting log = /var/log/tac_plus/accounting.txt

    authentication log = /var/log/tac_plus/authentication.txt

    mavis module = external {

        exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl

        setenv RADIUS_HOST = 10.1.1.12:1812

        setenv RADIUS_SECRET = "josh456"

        setenv RADIUS_GROUP_ATTR = Filter-Id

    }

    login backend = mavis

    user backend = mavis

    pap backend = mavis

    host = world {

            address = 0.0.0.0/0

            welcome banner = "\nJosh Testing\n\n"

            key = "josh123"

    }

    group = JOSH_RW {

            default service = permit

            service = shell {

                    default command = permit

                    default attribute = permit

                    set priv-lvl = 15

            }

    }

    user = joshtac {

        login = clear joshjoshjosh

        service = shell {

                default command = permit

                default attribute = permit

                set priv-lvl = 15

                }

        }

}

Any help would be greatly appreciated.

Cheers,

Josh

[Andrew Duey]

Josh,

Did you ever find a resolution?

I know your post is quote old but ran across the exact same issue last night (at least it appears the same) where we're using Duo as our LDAP proxy.  We're using the same Duo LDAP authproxy for other LDAP authenticating tools just fine however the mavis LDAP appears to time out FAST.  It looks like within a second but the fastest I can get and reply to a duo prompt is about 3 seconds.  The awesome part is that it hammers the Duo LDAP proxy so once you attempt to authenticate you get endless duo prompts (I answered about 20 before I gave up).

I've reproduced the issue using the mavis test tool (I'm actually using TACACSSGUI).  

If I set the MAVIS LDAP to authentication directly against my windows AD it succeeds and I'm 99% certain it's a timeout issues somewhere in the MAVIS code but I have yet to find anything myself.

Did you find anything or choose a different route?

Thanks,

--Andrew

[johol...@gmail.com]

Hello Andrew,

have you tried to set LDAP_CONNECT_TIMEOUT?

Here the description from the perl script

LDAP_CONNECT_TIMEOUT
    Timeout for initital connect to remote LDAP server. Default: 5

Cheers,

Joerg

[Andrew Duey]

Joerg,

Thanks for teaching out!  Yes, I did try it and it didn't seem to help but I might have screwed something up, more on that below.  It actually doesn't appear to be a timeout issue, it appears to be some different in the data returned by the Duo LDAP proxy.  

I'll start a new thread with my issue so as not to hijack this thread since it might not be directly related.

Thanks for the response.

--Andrew