Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 2767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF with radius authentication issue

darrellr

I have been using UTM 9 for quite a while and had set up WAF with RADIUS authentication via Duo (duoauthproxy) with a form authentication page and it has worked well.

I am testing XG 17.5 and set up the same way.  I have the Firewall authentication set up for the Radius server.  I get prompted on my phone to ok the Duo request as expected, but then I get a steady stream of requests to approve (every second or two) while the page is loading.  The first attempt is successful, but all future attempts are failed:

 

date=2018-12-20 time=02:15:48 timezone="CST" device_name="SFVH" device_id=xxxx log_id=065010617707 log_type="Event" log_component="Web Application Firewall" log_subtype="Authentication" status="Successful" priority=Information user_name="xxxx" usergroupname="" auth_client="WAF" auth_mechanism="RADIUS" reason="" src_ip=x.x.x.x message="User xxxx logged in successfully to WAF through RADIUS authentication mechanism" name="" src_mac=

date=2018-12-20 time=02:15:49 timezone="CST" device_name="SFVH" device_id=xxxx log_id=065010517708 log_type="Event" log_component="Web Application Firewall" log_subtype="Authentication" status="Failed" priority=Notice user_name="xxxx" usergroupname="" auth_client="WAF" auth_mechanism="RADIUS" reason="wrong credentials" src_ip=x.x.x.x message="User xxxx failed to login to WAF through RADIUS authentication mechanism because of wrong credentials" name="" src_mac=

 

Radius is working well with SSL VPN as expected.  It seems the WAF is not working as it should, to me.  If I use local authentication, WAF works fine.  It only balks at radius for some reason.  I may test a different radius server (bypass duoauthproxy) and if I do I will post an update.

 

I am a rather advanced home user (I've managed a lot of infrastructure professionally), but just can't crack this nut.  Can anyone help?  I am willing to post screenshots, I just did not want to junk up the first post unnecessarily if this is a known bug or something.  I did see another post similar, but not quite the same.



This thread was automatically locked due to age.
Parents
  • 0

    Update:  I tested bypassing my duoauthproxy and I was allowed to get in.  However - I had 45 login attempts from the WAF just to load a single page.

    This doesn't seem appropriate to me.

    I created an index page with only Hello World! (no HTML, just the text), and set to bypass duoauthproxy.  It allowed me in without issue, but it still attempted two authentications.  Using duo, the second auth fails.  I am using PUSH with duo, but even appending the passcode it fails (cannot use the same passcode multiple times).

    Everything looks the same between the UTM settings and the XG settings.  Any other ideas why the WAF module is requesting so many authentications?

  • 0 in reply to darrellr

    Even when set to local I get a lot of login requests per the logs. Not just the initial login.  Is this related to Radius SSO or something?

  • 0 in reply to darrellr

    I've experienced the same exact issue during some limited POC testing. Best I could tell, it had something to do with how the backend application was redirecting and opening web sockets. Could be wrong though, and I didn't really have time to explore further.

  • 0 in reply to Gary Parr

    I have given up on using the XG for the authentication via Radius.  I have moved by UTM behind the XG and set up a port forward to it.  This way I can use the UTM to perform the LetsEncrypt renewals natively and keep the certification up to date.  I need to figure out how to use the REST API to copy the certificate to the XG box, but that can wait.

  • 0 in reply to darrellr

    This should, as far as i know, work with V18. 

    As we integrate a radius timeout, this is actually crucial to work with radius services like DUO. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to darrellr

    This should, as far as i know, work with V18. 

    As we integrate a radius timeout, this is actually crucial to work with radius services like DUO. 

    __________________________________________________________________________________________________________________

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?