New Member

Question

7.2.10 Breaks DUO Radius proxy

Forum|Forum|1 year ago
September 25, 2024
8 replies
19638 views

We have a few customers who use the DUO Radius proxy to provide 2fa for the VPN. After an automatic update to 7.2.10 the user receives the DUO prompt, but authentication never completes. There is a known bug int the release notes about radius not working in the UI, and the workaround is to use the CLI to test authentication, but not that it would break any actual functionality.

For now we have rolled back to 7.2.9 but just wanted to give a heads up.

FortiGate

saleha

Staff & Editor

Hi gattac,

Thank you for reaching out. I assume this is relevant to changes done on 7.2.10 to mitigate against a radius vulnerability as described on release notes here:
https://docs.fortinet.com/document/fortigate/7.2.10/fortios-release-notes/5880/radius-vulnerability

You can try RADSEC which is tls authentication. An example to such deployment is on the following link:

https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/729374/configuring-a-radsec-client

Thank you,

saleha

Toshi_Esumi

SuperUser

@saleha
Even feroz_ftnt's comment in this reddit thread is not clear.
https://www.reddit.com/r/fortinet/comments/1fnrpf8/fortigate_200f_radius_response_fails_after/

Is this a problem triggered by FortiOS 7.2.10 started attaching Message-Authenticator(80) attribute and Duo doesn't reply with the correct attribute value after re-calculation, or just doesn't reply?
Or is this FortiOS 7.2.10's bug miscalculating the replied value from Duo?

The FGT GUI issue described in the thread has to be a separate issue only for the testing method because that doesn't involves actual user authentication incomplete.

Toshi

amuda

Staff

Hi @gattac

Please refer to this KB: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-RADIUS-authentication-failure-after-the/ta-p/343112

Toshi_Esumi

SuperUser

@amudaSo are you saying Duo is not set up properly to replying to FGT's Auth Request with Message-Authenticator attribute (80) , or in other words the Duo server side is ignoring the attribute? I'm asking this because the KB is stating below:
"To fix this, enable the message-authenticator attribute on the third-party RADIUS server to include on its RADIUS messages."

And, @gattac Can you confirm this is indeed the fact? To confirm, you have to go back to 7.2.10 again after changing the setting, whatever it is, on the Duo side though.

Toshi

pminarik

Staff

Given that Duo are currently handwaving the issue away (for perfectly valid reasons IMO), I think it's safe to assume they don't utilize Message-Authenticator at all and thus the new FortiOS versions will reject their replies. Otherwise I see no reason why they wouldn't just happily confirm that they're already capable of dealing with this attack vector.

Toshi_Esumi

SuperUser

So my conclusion for this issue based on last a couple of days of research over this community posts and Reddit posts, only solution with 7.2.10/7.4.5 or newer versions that would come out in the future is to set Duo Auth proxy to bypass Message-Authenticator attribute or all attributes to/from a backend auth server like Windows NPS/AD since Duo proxy itself doesn't support the attribute or TLS/RadSec at this moment.
https://help.duo.com/s/article/9014?language=en_US
https://help.duo.com/s/article/8930?language=en_US

Toshi

saleha

Staff & Editor

Hi Toshi_Esumi,

I hope the following clears up the information:
- FortiOS 7.2.10, 7.4.5 and future release 7.6.1 also require message-authentication attribute in radius setup with udp or tcp

- RADSEC or TLS is a way around this however it is currently not supported on DUO

- I have looked up DUO page and can only find them referencing pass-through options that includes message-authentication as provided at the following pages:
https://help.duo.com/s/article/7537?language=en_US
https://help.duo.com/s/article/9014?language=en_US

- I am not sure if the above articles apply to all kind of setup or just DUO proxy setup

- DUO according to the following announcement are actively investigating into allowing RADSEC authentication yes:

https://help.duo.com/s/article/8932?language=en_US

Thank you,

saleha

Toshi_Esumi

SuperUser

@salehaThank you for confirming this, although the last doc you referred, which I already read through yesterday, doesn't sound so promising.

Toshi

Scratchbuild1

New Member

Just ran into this today after upgrading from 7.2.9 to 7.2.10, using Duo Auth Proxy as the RADIUS server. One effective workaround for this that I worked out is to switch from using ad_client as the authentication source for Duo, to using radius_client. Thanks Saleha for this link:

https://help.duo.com/s/article/9014?language=en_US

That put me on the right track to realize that if you pass through the Message Authenticator attribute to a patched MS NPS server, you'll get one back too, and it will satisfy the Fortinet requirement introduced in 7.2.10. If you don't already have NPS configured to serve RADIUS, you'll need to configure it. Then set up your Duo Auth Proxy like this:

**********************

[radius_client]
host=<ip address of your primary NPS server>
host_2=<ip address of your secondary NPS server>
secret_protected=<removed>
pass_through_all=true
retries=1

[radius_server_auto]
ikey=<removed>
skey_protected=<removed>
api_host=<removed>
radius_ip_1=<the IP or subnet of your devices that use Duo for RADIUS authentication>
radius_secret_protected_1=<removed>
failmode=secure
client=radius_client
port=1812
pass_through_all=true

*************************

You still need the [ad_client] section of the config file for synchronizing AD to the Duo cloud, but I didn't include it here because it doesn't change.

Note that pass_through_all is enabled for both the client and server section. I have my FortiGate configured to use MSCHAPv2 for the authentication type but I'm not sure that matters, as long as the NPS config is in agreement (note that if you do use MSCHAPv2 you also have to enable this registry setting on the NPS server and reboot):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy]
"Enable NTLMv2 Compatibility"=dword:00000001

Other than that, it's just a matter of setting up a RADIUS client on NPS that corresponds to your Duo Auth Proxy, and setting up a policy that allows access when the appropriate conditions are met (e.g. client friendly name, authentication type, Windows groups, etc).

Toshi_Esumi

SuperUser

I'm wondering if "ad_client" uses LDAP. Does anyone know?

Toshi

Scratchbuild1

New Member

Yes, ad_client uses LDAP. There are several choices for how to authenticate (mine is using SSPI) and you can choose to encrypt (LDAPS) or not, but it's definitely still AD over LDAP. I think that's actually at the heart of the issue: ad_client is an LDAP-based authentication source for Duo, so it can't generate a RADIUS Message-Authenticator attribute synthetically. The FortiGate sends the request back to Duo with Message-Authenticator because that half is RADIUS, but the back half is not RADIUS when it's ad_client, so it has no way to handle Message-Authenticator.

FortiUsr

New Member

Duo released version 6.4.2 to fix this:

Version 6.4.2 - October 21, 2024

Adds the configuration option force_message_authenticator to radius_server modules.
- Set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets.
Ensures that reply packets containing a message-authenticator attribute send that as the first attribute.

saleha

Staff & Editor

Hi FortiUsr,

Thank you for the informative update. Here is the page from DUO reflecting what you mentioned about DUO version 6.4.2 or later supporting this change:
https://help.duo.com/s/article/9014?language=en_US

Thank you,

saleha

Version 6.4.2 - October 21, 2024

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded