Mobile VPN with IKEv2 & Duo 2FA

WindMill262

I'm attempting to setup Mobile VPN with IKEv2 with Duo 2FA and am struggling.
Has anyone got IKEv2 and Duo to work together?

I am able to successfully VPN using Mobile VPN with IKEv2 with RADIUS (Windows NPS) and no Duo Authentication Proxy Manager. In that scenario, I have no 2FA.

But, when I attempt to VPN with Duo 2FA (Duo Authentication Proxy Manager sitting between the firebox and NPS) I am unsuccessful.

Below are the steps.

Using the Windows VPN profile, I click on "Connect" and it says "Verifying your sign-in info".
I get a Duo notification on my mobile device and approve it.
The Windows VPN attempt states that it cannot connect.

I took a look at the Firebox System Manager Traffic Monitor and I see a log message, "admd RADIUS:check RADIUS authenticator (x.x.x.x (this is the IP address to the Duo Auth Proxy Mgr) failed.

I looked at the Duo Authentication Proxy Manager authproxy.log file and I can see log lines that show my firebox IP address followed by
"Duo authentication returned 'allow': 'Success. Logging you in...'
"Returning response code 2: AccessAccept"
"Sending response"

On the Windows NPS I can see logs that show communications between NPS and the Duo Authentication Proxy Manager.

So, I believe the communication chain from the Firebox to the Duo Auth Proxy Manager to the NPS is there, but I can't figure out why the Firebox Traffic Monitor is showing "admd RADIUS:check RADIUS authenticator."

I believe I have the NPS Network Policy configured correctly. I have my group listed and a filter-id with my group name in it. My user is a member of that group.

james.carson

Hi @WindMill262

The most common reasons that we see this message is
-The shared secret between the Firebox and the host it is talking to is incorrect
-The time between the two systems is off, and needs to be synced.

WindMill262

I updated the shared secret between the Firebox and the host and that resolved the issue. Thanks for the help.