I will assume you are using the Windows client VPN and RADIUS to Duo.
The answer is yes, and there is more than one way.
If you use LDAP between the Duo auth proxy and Active directory, then use the "security_group_dn" option.
https://duo.com/docs/authproxy-reference
If you are using RADIUS between the Duo auth proxy and Windows NPS, you can have Windows NPS directly check for the user being a member of an AD group.
And to leave you with something to thing about - I rarely do these kinds of configs anymore. For all new installs I use Cisco AnyConnect and SAML authentication. Cisco AnyConnect is an additional licence, but not that expensive.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication
In the case of Duo, all plans come with Duo Central, and you can authenticate directly against that.
When you create your SAML app in Duo you can specify a group that is allowed to use AnyConnect.
https://duo.com/docs/using-groups#using-groups-to-manage-application-access
Some cool things you can do with SAML and Duo:
- Much better user auditing and reporting [All Duo Editions].
- Inline password reset for users who have had their AD password expire [All Duo Editions].
- Use TXT, phone call, hardware tokens, ..., for authentication [All Duo Editions].
- User anomaly detected [All Duo Editions].
- Restrict access by country [Duo Beyond].
- Restrict access to only company authorised devices [Duo Beyond].
- Restrict access to machines meeting a health profile (minimum patch level, antivirus installed and running, machine not reporting it is infected, ...) [Duo Beyond]
Apart from the user auditing and reporting, all the other things can only be done using SAML authentication.
I would mention that you can also SAML authenticate against Office 365 - but you said you wanted to match on a group - and you can't do that with Azure AD (you have to authorize each individual user).
