First time poster and unsure if correct location to post. We are currently testing DUO install and need to capture the MFA/DUOv2 API information sent from the Palo Alto management interface to DUO API.
How are you attempting to use DUO? A local or cloud server? Radius/LDAP or the PA built-in MFA DUOv2 profile? Passing the correct allow list from the PA to DUO? And have the correct allow list in DUO to whatever your corporate auth source is?
From your description, it sounds like DUO is working, just not the user/group query from the PA to DUO to match to a particular user.
Edit: And I suppose this thread should probably be in the Configuration Discussions forum... but....
Hmmm... OK, we use a local DUO server Radius connection (LDAP/AD DUO backend), I wasn't aware that MFA DUOv2 was available as a local server, I thought it was cloud only.
I would verify in your logs that you are not seeing anything unusual in the Authentication Profile, Logs -> System, then filter with (object eq [your-auth-profile-name]) . You should see something like this in a success:
authenticated for user \'alice\'. auth profile \'Duo\', vsys \'vsys1\', server profile \'DUO Radius\', server address \'126.96.36.199\', auth protocol \'PAP\', reply message \'Success. Logging you in...\' From: 188.8.131.52.
Or this in a failure case with the reason:
failed authentication for user \'alice\'. Reason: Invalid username/password. auth profile \'Duo\', vsys \'vsys1\', server profile \'Duo Radius\', server address \'184.108.40.206\', auth protocol \'PAP\', reply message \'Invalid username or password\' From: 220.127.116.11.
But since you say phone MFA works, but SMS MFA doesn't, the error will probably just be a timeout. Sounds like it is a problem on the DUO side, like maybe it doesn't have a SMS senderID set when queried by the PA? So the SMS send fails. But I don't know the details in the DUO server very well. You have me stumped at the moment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!