Authentication Issues - Duo Security Two Factor Auth for OpenVPN & FreeRADIUS3
-
Hi everyone. I am trying to secure my OpenVPN instances using 2 factor Authentication. I do not want to have to enter a one-time PIN in every time that I connect, so I have chosen Duo Security's Push notification method. I have followed multiple guides, including those on Duo's website, in order to setup Duo's Authentication Proxy and integrate it with pfsense's FreeRADIUS3 server and OpenVPN. Both the Duo Auth Proxy logs and the FreeRADIUS logs show successful log-in attempts, but pfsense will not successfully authenticate, and OpenVPN will not successfully connect. I have changed the authentication timeout value on FreeRADIUS to 60 second and 3 retries. On pfsense, I have tried to authenticate to the Duo Auth Proxy through the Diagnostics > Authentication menu. If i select the pfsense FreeRADIUS server as the authentication source, it will authenticate successfully. If I select the Duo Auth Proxy as the authentication source, I will receive a push notification from Duo on my phone, but immediately after clicking "Accept" on the push notification, pfsense says that the authentication failed. If I attempt to connect to pfsense's FreeRADIUS server directly using OpenVPN, it will connect without issue. If I try to connect using Duo's Auth Proxy, I will receive a push notification to my phone, but after clicking "Accept" on my phone, OpenVPN will not connect. I have checked the logs while attempting to connect, and both FreeRADIUS and the Duo Auth Proxy logs both show that the login was successful. It seems as though pfsense does not know how to accept the successful log-in message from the Duo Auth Proxy? I am running the Duo Auth Proxy on an Ubuntu Server VM. I do not run Windows, so I do not have the Active Directory integration option.
Another thing that I found odd is that multiple how-to articles, including the guides on Duo's website indicate that you should be able to append ",push" or ",12345" (whatever the one time pin is) to the end of your password when attempting to authenticate, and the Duo Auth Proxy would know which method you were using to authenticate. When I try this through the Diagnostic > Authentication menu on pfsense, I immediately get an "Authentication Failure" message. It doesn't even attempt to send me a push notification through Duo, which leads me to believe that the Duo Auth proxy isn't parsing the option from the password when it authenticates with the FreeRADIUS server initially.
Below is my Duo Auth Proxy configuration and logs from FreeRADIUS and the Duo Auth Proxy, showing that the authentication attempts were successful. Any help would be greatly appreciated!
pfsense info:
pfsense 2.4.2-RELEASE-p1 (amd64)
FreeRADIUS3Duo Auth Proxy Config:
[radius_client]
host=xxx.xxx.xxx.xxx #This is the pfsense IP address for FreeRADIUS
secret=xxxxxxxxxxxx[radius_server_auto]
ikey=xxxxxxxxxxxxxx
skey=xxxxxxxxxxxxx
api_host=api-xxxxxxxxx.duosecurity.com
radius_ip_1=xxx.xxx.xxx.xxx #This is the #This is the pfsense IP address for OpenVPN (same IP as client section)
radius_secret_1=xxxxxxxxxxxxx
failmode=safe
client=radius_client
port=1812
pass_through_all=true #I tried without this option and received the same results.FreeRADIUS Log
Wed Feb 14 18:21:38 2018 : Auth: (4) Login OK: [test.user] (from client duoproxy port 0)
Duo Auth Proxy Log (actual IP Addresses have been replaced)
2018-02-14T18:21:38-0600 [DuoForwardServer (UDP)] Sending request from 1.1.1.1 to radius_server_auto
2018-02-14T18:21:38-0600 [DuoForwardServer (UDP)] Received new request id 114 from ('1.1.1.1', 26897)
2018-02-14T18:21:38-0600 [DuoForwardServer (UDP)] (('1.1.1.1', 26897), 114): login attempt for username u'test.user'
2018-02-14T18:21:38-0600 [DuoForwardServer (UDP)] Sending request for user u'test.user' to ('1.1.1.1', 1812) with id 24
2018-02-14T18:21:38-0600 [RadiusClient (UDP)] Got response for id 24 from ('11.1.1.1', 1812); code 2
2018-02-14T18:21:38-0600 [RadiusClient (UDP)] http POST to https://api-xxxxx.duosecurity.com:443/rest/v1/preauth
2018-02-14T18:21:38-0600 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: https://api-xxxxx.duosecurity.com:443/rest/v1/preauth>
2018-02-14T18:21:38-0600 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('1.1.1.1', 26897), 114): Got preauth result for: u'auth'
2018-02-14T18:21:38-0600 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://api-xxxxxx.duosecurity.com:443/rest/v1/auth
2018-02-14T18:21:38-0600 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: https://api-xxxxxx.duosecurity.com:443/rest/v1/auth>
2018-02-14T18:21:38-0600 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: https://api-xxxxxx.duosecurity.com:443/rest/v1/preauth>
2018-02-14T18:21:45-0600 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('1.1.1.1', 26897), 114): Duo authentication returned 'allow': 'Success. Logging you in…'
2018-02-14T18:21:45-0600 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('1.1.1.1', 26897), 114): Returning response code 2: AccessAccept
2018-02-14T18:21:45-0600 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('1.1.1.1', 26897), 114): Sending response
2018-02-14T18:21:45-0600 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: https://api-xxxxxxx.duosecurity.com:443/rest/v1/auth>
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] Sending request from 1.1.1.1 to radius_server_auto
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] (('1.1.1.1', 26897), 114): Received duplicate request
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] (('1.1.1.1', 26897), 114): Sending response
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] Sending request from 1.1.1.1 to radius_server_auto
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] (('1.1.1.1', 26897), 114): Received duplicate request
2018-02-14T18:21:45-0600 [DuoForwardServer (UDP)] (('1.1.1.1', 26897), 114): Sending response