How to capture the MFA API information sent from the Palo Alto management interface to DUO API

sallen · ‎11-03-2022

First time poster and unsure if correct location to post. We are currently testing DUO install and need to capture the MFA/DUOv2 API information sent from the Palo Alto management interface to DUO API.

sallen · ‎11-08-2022

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

View solution in original post

Adrian_Jensen · ‎11-03-2022

How are you attempting to use DUO? A local or cloud server? Radius/LDAP or the PA built-in MFA DUOv2 profile? Passing the correct allow list from the PA to DUO? And have the correct allow list in DUO to whatever your corporate auth source is?

From your description, it sounds like DUO is working, just not the user/group query from the PA to DUO to match to a particular user.

Edit: And I suppose this thread should probably be in the Configuration Discussions forum... but....

sallen · ‎11-04-2022

Hi, Thank you for the reply. If I can move the post I will.

We are using , Captive Portal, and PA built-in MFA DUOv2 profile, and this is for a local server. LDAP/AD backend. I'm unsure of the "allow list"

Adrian_Jensen · ‎11-04-2022

Hmmm... OK, we use a local DUO server Radius connection (LDAP/AD DUO backend), I wasn't aware that MFA DUOv2 was available as a local server, I thought it was cloud only.

I would verify in your logs that you are not seeing anything unusual in the Authentication Profile, Logs -> System, then filter with (object eq [your-auth-profile-name]) . You should see something like this in a success:

authenticated for user \'alice\'. auth profile \'Duo\', vsys \'vsys1\', server profile \'DUO Radius\', server address \'1.2.3.4\', auth protocol \'PAP\', reply message \'Success. Logging you in...\' From: 5.6.7.8.

Or this in a failure case with the reason:

failed authentication for user \'alice\'. Reason: Invalid username/password. auth profile \'Duo\', vsys \'vsys1\', server profile \'Duo Radius\', server address \'1.2.3.4\', auth protocol \'PAP\', reply message \'Invalid username or password\' From: 5.6.7.8.

But since you say phone MFA works, but SMS MFA doesn't, the error will probably just be a timeout. Sounds like it is a problem on the DUO side, like maybe it doesn't have a SMS senderID set when queried by the PA? So the SMS send fails. But I don't know the details in the DUO server very well. You have me stumped at the moment.

sallen · ‎11-07-2022

Ok, sorry to be clear DUO service is in the Cloud. LDAP and Captive Portal. Thank you for your advice on checking the logs. How would we capture a PCAP of the egress API data that is being sent out to DUO? Can you do that from the firewall or you need some 3 device to sit in-between?

sallen · ‎11-07-2022

If asked is there anyone to do that ourselves or does PA support do that?

We need that PCAP or use TCP dump and filter just the API calls to DUO? Duo support wants to see the api coming over and thoughts it can help shed light on information going to or from.

sallen · ‎11-08-2022

How about this. Can we Run TCP dump from the command line and PCAP
the outbound of management interface. Can anyone point to that documentation or how to do it.

tcpdump X.X.X.X to X.X.X.X 443 and thinking API commands

sallen · ‎11-08-2022

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS

How to capture the MFA API information sent from the Palo Alto management interface to DUO API

How to capture the MFA API information sent from the Palo Alto management interface to DUO API

Show your appreciation!