Not pass thought local IP to Duo
-
I'm using pfSense just as a router/firewall (no VPN)
There is a WIndows server in the LAN that is protected by Duo.Now Duo should let local logins go though without prompts
But Duo doesn't see the local IP, I just get 0.0.0.0 on my phoneI found something on Reddit about this that should be fixed in 2.4
I know for a fact that the pfsense openvpn instantiation does not pass user IP info back. Typically I have seen VPN services send user IP info in the form of a Calling-Station-ID AVP, and pfsense does not send this. I believe there is a change coming in 2.4 to include the Called-Station-ID attribute, which would be the IP address of the pfsense interface on which the VPN service "lives".I'm on 2.4.5-RELEASE-p1 (amd64). Is there a way to get around this problem ?
-
You probably need to explain exactly what you are doing. Are you trying to hit a Duo protected service from the local network? I don't think that thing from Reddit applies to your situation.
-
I have a Duo protected Windows server in my home network.
During login to the Windows server there is an MFA push to my phone that I can approve .It can bypass requests from the public IP (if you enter this in duo admin)
However my phone shows 0.0.0.0 in the push notification
When testing I use a Windows laptop to connect with RDP to the server in the same vlan (I have no vlan's)
It looks like Duo is unable to see where the login request is coming fromSo even when I'm home in the same IP range I get this Duo push which can be a little annoying. It would be nice if I could whitelist my public IP in DUO
-
@banana-man said in Not pass thought local IP to Duo:
RDP to the server in the same vlan (I have no vlan's)
Pfsense has zero to do with that conversation.. So if your duo software running on the server is not sending your phone the IP. That has nothing to do with pfsense.
t looks like Duo is unable to see where the login request is coming from
How would that have anything to do with pfsense? If 192.168.1.100/24 talks to 192.168.1.101/24 pfsense is not part of that conversation. And has nothing to do with duo knowing that .100 is talking to it.
The only part of the process pfsense plays in this is allowing the duo software to talk outbound to the duo servers on port 443.. And possible dns to find those servers. But what IP the duo says is talking to it has nothing to do with pfsense.
Be it local or even through a vpn connection.
To my guess your problem is related to this
https://help.duo.com/s/article/2302?language=en_US
Why do I see "0.0.0.0" as the Access Device IP address in the Duo Admin Panel's Authentication Log?When connecting from a Windows 7 or Windows Server 2008 R2 machine using RDP version 8.
-
Actually I think he is talking about the bullet point above that, "When users can a perform local console logon (instead of a remote RDP or SSH session)."
linked KB:
https://help.duo.com/s/article/4173?language=en_US
"Why does Duo Authentication for Windows Logon report the client IP address as 0.0.0.0 for local console logins?" -
He never mentions local console login - but sure that is more likely the problem than anything at all to do with pfsense.. Pfsense has no skin in this game at all..
In his first post he does mention local logins..
But this clearly states rdp from his laptop on the same lan
When testing I use a Windows laptop to connect with RDP to the server in the same vlan
No matter his problem - pfsense is not in this fight.. His fight is with his duo configuration and possible rdp client issues.
