Fail to authenticate Aviatrix VPN Client using DUO-enabled Okta Skip to main content
https://support.okta.com/help/answers?id=9062a000000dfg9qag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Yiyang XiaYiyang Xia 

Fail to authenticate Aviatrix VPN Client using DUO-enabled Okta

Hello!

I'm using Okta for Aviatrix VPN authentication. On their website, apparently support using Okta. http://docs.aviatrix.com/HowTos/HowTo_Setup_Okta_for_Aviatrix.html

My problem is that after I setup gateway with Okta authentication in Aviatrix, I cannot login via VPN client when DUO is enabled. The authentication simply failed with the following log:

2018-02-08 06:27:33 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2018-02-08 06:27:33 AUTH: Received control message: AUTH_FAILED
2018-02-08 06:27:33 SIGTERM[soft,auth-failure] received, process exiting

And on Okta side I'm seeing the following two events in sys log, but my phone was never prompted with any challenge. 
User-added imageAnd I noticed in the "Evaluation of sign-on policy" event, the user-agent has the following property:

Browser UNKNOWN
OS Linux
RawUserAgent OktaOpenVPN/0.9.2 (Linux 3.13.0-74-generic) CPython/2.7.6

If I deactivate DUO, then the login will pass.

I want to know is it supported to use DUO-enabled Okta for other platform's authentication?  If so, is it that Aviatrix is not calling Okta using the right way?

Regards,
Yiyang
Aleks BulajicAleks Bulajic (Okta, Inc.)
Hi Yiyang,

Thank you for reaching out today! While we currently do not have documention around integrating the Aviatrix VPN, most factor options should be supported when authenticating to a VPN client via means of the Radius Agent and Radius App:

Radius Agent Deployment https://help.okta.com/en/prod/Content/Topics/DeploymentGuides/Radius_Server_Agent/radius-server-agent-dg.htm

Radius Application - https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm

Cisco ASA VPN Configuration Guide (indicates push is supported but may require adjusting a Timeout duration setting within the VPN configuration settings)  https://support.okta.com/help/Documentation/Knowledge_Article/Cisco-ASA-VPN-Configuration-Guide

As a suggestion, could you confirm if you are able to authenticate with any other factor methods such as SMS or Okta Verify Push, as well as determine if there are any settings available in the Aviatrix configurations where a timeout duration can increased?

If you continue to run into issues, I would definitely suggest opening a case with Support so we can further assist with additional troubleshooting.

Thank you,

Aleks Bulajic
Technical Support Engineer
Okta Global Customer Care
Dylann FezeuDylann Fezeu (Customer First Programs)
Hello,

Thanks for posting your inquiry in Okta Community Portal.

​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

Thank you,

​Dylann Fezeu
Okta Help Center Team