ISE and DuoProxy failmode=safe issue

mofnoc · ‎04-09-2024

Hello,
We have a trouble with connection when DuoProxy loose connection to Duo cloud server. According to proxy configuration (failmode=safe), VPN users still have a possibility to connect, but actualy they don't connect.
Our VPN users connect via Cisco AnyConnect, vpn server device - FTD. Two tipes of connection: credentials or smart-card.
Some users are evaluated with Posture.

Duo Proxy logs says that failmode works as expected - sends AccessAccept back to ISE.
Proxy logs:
21:11:15.205007+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 42319), jsmith@m.local, 117): login attempt for username 'jsmith@m.local'
21:11:15.206000+0300 [duoauthproxy.lib.log#info] http POST to https://api-------.duosecurity.com:443/rest/v1/preauth
21:11:15.206995+0300 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: b'https://api------.duosecurity.com:443/rest/v1/preauth'>
21:11:15.702332+0300 [duoauthproxy.lib.log#critical] Duo preauth call failed
duoauthproxy.lib.duo_api.duo_api_errors.DuoAPIFailOpenError: API Request Failed: Error([('SSL routines', 'ssl23_read', 'ssl handshake failure')])
21:11:24.357291+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Failmode Safe - Allowed Duo login on preauth failure
21:11:24.357291+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Returning response code 2: AccessAccept
21:11:24.358295+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Sending response

ISE Radius-logs shows "Authentication succeeded", but actualy connection attempt stops. Users with posture stucks in "Pending" status.
When Proxy resumed connection to Duo cloud server, user authentication process again works fine.

As I understand, Proxy response with the same code, but on the ISE side occuring some trouble.

antisocial11224 · ‎04-22-2024

@mofnoc wrote:
Hello,
We have a trouble with connection when DuoProxy loose connection to Duo cloud server. According to proxy configuration (failmode=safe), VPN users still have a possibility to connect, but actualy they don't connect.
Our VPN users connect via Cisco AnyConnect, vpn server device - FTD. Two tipes of connection: credentials or smart-card.
Some users are evaluated with Posture.

Duo Proxy logs says that failmode works as expected - sends AccessAccept back to ISE.
Proxy logs:
21:11:15.205007+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 42319), jsmith@m.local, 117): login attempt for username 'jsmith@m.local'
21:11:15.206000+0300 [duoauthproxy.lib.log#info] http POST to https://api-------.duosecurity.com:443/rest/v1/preauth
21:11:15.206995+0300 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: b'https://api------.duosecurity.com:443/rest/v1/preauth'>
21:11:15.702332+0300 [duoauthproxy.lib.log#critical] Duo preauth call failed
duoauthproxy.lib.duo_api.duo_api_errors.DuoAPIFailOpenError: API Request Failed: Error([('SSL routines', 'ssl23_read', 'ssl handshake failure')])
21:11:24.357291+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Failmode Safe - Allowed Duo login on preauth failure
21:11:24.357291+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Returning response code 2: AccessAccept
21:11:24.358295+0300 [duoauthproxy.lib.log#info] (('10.100.100.100', 27308), jsmith@m.local, 23): Sending response
ISE Radius-logs shows "Authentication succeeded", but actualy connection attempt stops. Users with posture stucks in "Pending" status.
When Proxy resumed connection to Duo cloud server, user authentication process again works fine.
As I understand, Proxy response with the same code, but on the ISE side occuring some trouble.

The DuoProxy logs indicate that the failmode is functioning correctly, as it allows Duo login despite the preauth failure when the connection to the Duo cloud server is lost. However, upon the resumption of the connection, authentication processes return to normal.

The problem likely lies with the ISE or VPN configuration handling the "AccessAccept" response from DuoProxy. It's possible that ISE is not processing the response correctly or encountering issues when attempting to proceed with authentication.

To troubleshoot further, you may want to investigate the configuration settings on ISE related to VPN authentication and posture evaluation. Ensure that the ISE policy sets are correctly configured to handle the "AccessAccept" response from DuoProxy. Additionally, check for any error messages or logs on the ISE side that may provide insight into why the authentication process is stalling despite receiving a successful response from DuoProxy.