12-28-2021 03:41 PM
We are doing the same authentication, external DUO via radius, and had the same problem with phantom DUO requests. Eventually we came up with a work around, but with a few caveats.
1) GP Portal -> Authentication:
Setup your DUO authentication profile
2) GP Portal -> Agent -> [profile] -> Authentication:
Create an Authentication Override, select "Generate cookie for auth" (do not accept a cookie for auth), use a self-gen cert.
3) GP Portal -> Agent -> [profile] -> Authentication:
Under Components that Require Dynamic Passwords, check "Portal", "External Gateway - manual", and "External Gateway - auto".
4) GP Portal -> Agent -> [profile] -> App:
Turn off Use Single Sign-On.
5) GP Gateway -> Authentication:
Setup your DUO authentication profile.
6) GP Gateway -> Agent -> Timeout Settings:
Set a shorter "Login Lifetim"e interval for the gateway than the portal "GP App Config Refresh Interval" (under GP Portal -> Agent -> [profile] -> App).
7) GP Gateway -> Agent -> Client settings -> [profile] -> Authentication Override:
Select "Accept cookie for auth" (not generate), set a very short cookie lifetime (a few minutes), and select the cert you generated the cookie from on the portal.
So when you first connect, the GP client authenticates against the portal and get a DUO push. On successful auth the client gets pushed a cookie and immediately connects to the gateway, which bypasses the second DUO request there. When the gateway lifetime expires the client tries to reconnect automatically with the cookie and is rejected as expired. The client then prompts for user/pass do to the Dynamic Passwords override and waits for user input. You can re-enter your creds, get a DUO push from the gateway, and reconnect. When the portal refresh expires the client tries to reconnect to the portal automatically with the cookie and is rejected. As Dynamic Passwords is overriding, the portal will then prompt for user/pass IF the gateway is not already connected AND the gateway refresh has not already prompted.
Now the goofiness... Perhaps the biggest problem is that the portal can no longer refresh the GP client config. You will see the GP client try to automatically connect in the logs, but it is always rejected. In order to update the config you have to manually disconnect from the portal (disconnect or select a different portal if allowed) or reboot the PC. For users that always leave their PCs on/lock the PC and walk away with the VPN connected, this can create a problem with pushing portal/gateway config updates. Additionally, sometimes the user will briefly see the portal user/pass prompt after you have entered the gateway user/pass and are awaiting the DUO push to confirm. If you are fast and re-enter creds in that second prompt, thinking you mistyped the first, you will end up getting logged back out of the gateway and kicked all the way back to a new portal login.
It's working for us to have a single DUO sign-on and not have phantom DUO requests on timeout, but its not perfect. Currently, I'm trying to get certificate authentication working on the portal, and have DUO just on the gateway, so the client could auto refresh configs at any time, but so far I can't seem to get the client to supply the cert....
