Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 8134 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duo 2FA + SophosUTM .. Half works.

Zak P

Hi all

 

I have setup Duo 2FA to work with the Sophos, as per Duo's and Sophos's guide here:

https://community.sophos.com/kb/en-us/127334

 

 

I have the Duo Proxy using AD_client and it successfully authenticates me on the Duo Web Portal :

 

 

When I log into the User Portal, I use my full email address from AD e.g. xxx@xxx.com , and my AD password.

I then receive a Push notification from Duo. I then click Accept, and then it takes me through to the OTP screen.

 

 

 

 

How come it is requesting me to setup a OTP  ? If I go ahead and add the QR code into Duo or Google Authenticator, I still see the same screen when logging in e.g. the OTP page with the QR code keeps looping around as such.

 

What I want to do is have all users be able to log into the both Portal, and the SSL-VPN using their Active Directory Usernames (which is their email address), and passwords from AD, and have Duo do the 2FA. At the moment, it seems like it still wants 2FA passwords?

 

Any ideas on this? Is it possible to have both OTP and Duo 2FA working at the same time too?

 

Thanks 



This thread was automatically locked due to age.
Parents
  • 0

    Also, the logs from the VPN ( you can see i've disabled Active Directory - but ideally would like both OTP and Duo to work) . This was me logging in using my full email address, AD Password and after having Accepted the Duo Push notification e.g. I received a Push notification on my phone.

     

    Thanks 

     

    2018:02:19-03:45:17 remote aua[31730]: id="3006" severity="info" sys="System" sub="auth" name="Server 172.18.110.115 (adirectory) is disabled"
    2018:02:19-03:45:17 remote aua[31730]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.18.110.155 (radius)"
    2018:02:19-03:45:26 remote aua[31730]: id="3006" severity="info" sys="System" sub="auth" name="OTP verification did not succeed, failing authentication."
    2018:02:19-03:45:26 remote aua[31730]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="222.152.171.33" host="" user="xxxx@xxxx.co.uk" caller="portal" reason="DENIED"
    2018:02:19-03:54:28 remote aua[3197]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 130"

  • 0 in reply to Zak P

    And heres the logs from the Duo Proxy - which seem to be ok. It seems that somewhere in the Sophos there is a problem?

     

    Thanks

     

     

     

    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Sending request from 172.18.150.100 to radius_server_auto
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Received new request id 120 from ('172.18.150.100', 56564)
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] (('172.18.150.100', 56564), 120): login attempt for username u'xxxx@xxxx.co.uk'
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Sending AD authentication request for 'xxxx@xxxx.co.uk' to '172.18.110.115'
    2018-02-19T03:54:28+0000 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x030AAAB0>
    2018-02-19T03:54:28+0000 [_ADAuthClientProtocol,client] http POST to api-2830198c.duosecurity.com:443/.../preauth
    2018-02-19T03:54:28+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../preauth>
    2018-02-19T03:54:28+0000 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x030AAAB0>
    2018-02-19T03:54:31+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Got preauth result for: u'auth'
    2018-02-19T03:54:31+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to xxxxxxduosecurity.com:443/.../auth
    2018-02-19T03:54:31+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../auth>
    2018-02-19T03:54:31+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../preauth>
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Duo authentication returned 'allow': 'Success. Logging you in...'
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Returning response code 2: AccessAccept
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Sending response
    2018-02-19T03:54:38+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: xxxxxduosecurity.com:443/.../auth>

Reply
  • 0 in reply to Zak P

    And heres the logs from the Duo Proxy - which seem to be ok. It seems that somewhere in the Sophos there is a problem?

     

    Thanks

     

     

     

    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Sending request from 172.18.150.100 to radius_server_auto
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Received new request id 120 from ('172.18.150.100', 56564)
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] (('172.18.150.100', 56564), 120): login attempt for username u'xxxx@xxxx.co.uk'
    2018-02-19T03:54:28+0000 [DuoForwardServer (UDP)] Sending AD authentication request for 'xxxx@xxxx.co.uk' to '172.18.110.115'
    2018-02-19T03:54:28+0000 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x030AAAB0>
    2018-02-19T03:54:28+0000 [_ADAuthClientProtocol,client] http POST to api-2830198c.duosecurity.com:443/.../preauth
    2018-02-19T03:54:28+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../preauth>
    2018-02-19T03:54:28+0000 [duoauthproxy.modules.ad_client._ADAuthClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADAuthClientFactory object at 0x030AAAB0>
    2018-02-19T03:54:31+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Got preauth result for: u'auth'
    2018-02-19T03:54:31+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to xxxxxxduosecurity.com:443/.../auth
    2018-02-19T03:54:31+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../auth>
    2018-02-19T03:54:31+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: xxxxxx.duosecurity.com:443/.../preauth>
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Duo authentication returned 'allow': 'Success. Logging you in...'
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Returning response code 2: AccessAccept
    2018-02-19T03:54:38+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] (('172.18.150.100', 56564), 120): Sending response
    2018-02-19T03:54:38+0000 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: xxxxxduosecurity.com:443/.../auth>

Children
No Data
Unfiltered HTML