DUO using MFA and Active Directory Security Group

Solved
SteveDW
Here to help

DUO using MFA and Active Directory Security Group

I have seen a couple of messages lightly touch on the topic of Active Directory security groups, but they did not convey the exact information I am seeking. Is it possible to use an Active Directory security user group as an additional layer of security in combination with the Meraki client VPN and DUO MFA's radius server? I have used Cisco AnyConnect and FortiGate in the past, and granting access to the VPN was done by adding a user account into an Active Directory security group. It was basically a third layer of security. Thank you in advance.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

That is the most typical configuration.

 

You can also enable additional methods like TXT authentication, DUo token authentication, etc.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I will assume you are using the Windows client VPN and RADIUS to Duo.

 

The answer is yes, and there is more than one way.

 

If you use LDAP between the Duo auth proxy and Active directory, then use the "security_group_dn" option.

https://duo.com/docs/authproxy-reference 

 

If you are using RADIUS between the Duo auth proxy and Windows NPS, you can have Windows NPS directly check for the user being a member of an AD group.

 

 

And to leave you with something to thing about - I rarely do these kinds of configs anymore.  For all new installs I use Cisco AnyConnect and SAML authentication.  Cisco AnyConnect is an additional licence, but not that expensive.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication 

In the case of Duo, all plans come with Duo Central, and you can authenticate directly against that.

 

When you create your SAML app in Duo you can specify a group that is allowed to use AnyConnect.

https://duo.com/docs/using-groups#using-groups-to-manage-application-access 


Some cool things you can do with SAML and Duo:

  • Much better user auditing and reporting [All Duo Editions].
  • Inline password reset for users who have had their AD password expire [All Duo Editions].
  • Use TXT, phone call, hardware tokens, ..., for authentication [All Duo Editions].
  • User anomaly detected [All Duo Editions].
  • Restrict access by country [Duo Beyond].
  • Restrict access to only company authorised devices [Duo Beyond].
  • Restrict access to machines meeting a health profile (minimum patch level, antivirus installed and running, machine not reporting it is infected, ...)  [Duo Beyond]

Apart from the user auditing and reporting, all the other things can only be done using SAML authentication.

 

 

I would mention that you can also SAML authenticate against Office 365 - but you said you wanted to match on a group - and you can't do that with Azure AD (you have to authorize each individual user).

Hello PhilipDAth,

 

I do have another question regarding DUO and SAML. Can this configuration also work with the DUO app on a phone and allow the user to answer yes or no to approve the sign-on?

PhilipDAth
Kind of a big deal
Kind of a big deal

That is the most typical configuration.

 

You can also enable additional methods like TXT authentication, DUo token authentication, etc.

Thank you once more! This helps a bunch.

SteveDW
Here to help

PhilipDAth, thank you for all the information. Yes, I am currently working with the Windows native VPN client. Thanks for the additional information on AnyConnect. This appears to be a good option too. The next step will be the deployment of the client application. We are not using Azure.

Get notified when there are additional replies to this discussion.