Using DUO for 2FA - how to?

SOLVED
DSchn
Here to help

Using DUO for 2FA - how to?

Dear all,

 

we are already using our MX400 for providing client VPN access (with RADIUS) and now want to have a two-factor authentication setup. It seems DUO does the trick, but what exactly is to be done? I read about a DUO access gateway and a authentication proxy, are they the same tool? And what about the Windows 7/10 VPN connection: where will the user put in the authentication code?

 

Sorry, I'm a bit confused how this exactly works out with DUO.

1 ACCEPTED SOLUTION
Mr_IT_Guy
A model citizen

Hey @DSchn ,

 

The DUO Access Gateway (DAG) and the Duo Authentication Proxy (DAP) are two different tools. The DAG acts as a kind of application portal for SSO. Users can log into the DAG and then click on company applications that you have protected using DUO. The DAG has 2FA enabled for login purposes. Additionally, you can have redirects happen on those websites you are protecting so that if someone were to navigate straight to the website without first going through the DAG, they would be redirected to the DAG for sign-in.

 

The Authentication Proxy is what actually makes the 2FA happen. Instead of pointing your pointing to your VPN to the RADIUS server, you would instead point to the DAP. When a user attempts to connect to the VPN, they will hit the DAP which contacts AD to verify username and password. If that part is correct, they will then receive a PUSH notification to their DUO app. You will have to contact Meraki to adjust the time out on the back end for the push notification so that users don't experience a timeout.

 

As of right now, the only way you can use 2FA with the Windows VPN Connection is with the PUSH notification or Biometrics as there is not place to put in an authentication code. This part is very frustrating. I wish support for Cisco AnyConnect would come soon!!

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

5 REPLIES 5
Mr_IT_Guy
A model citizen

Hey @DSchn ,

 

The DUO Access Gateway (DAG) and the Duo Authentication Proxy (DAP) are two different tools. The DAG acts as a kind of application portal for SSO. Users can log into the DAG and then click on company applications that you have protected using DUO. The DAG has 2FA enabled for login purposes. Additionally, you can have redirects happen on those websites you are protecting so that if someone were to navigate straight to the website without first going through the DAG, they would be redirected to the DAG for sign-in.

 

The Authentication Proxy is what actually makes the 2FA happen. Instead of pointing your pointing to your VPN to the RADIUS server, you would instead point to the DAP. When a user attempts to connect to the VPN, they will hit the DAP which contacts AD to verify username and password. If that part is correct, they will then receive a PUSH notification to their DUO app. You will have to contact Meraki to adjust the time out on the back end for the push notification so that users don't experience a timeout.

 

As of right now, the only way you can use 2FA with the Windows VPN Connection is with the PUSH notification or Biometrics as there is not place to put in an authentication code. This part is very frustrating. I wish support for Cisco AnyConnect would come soon!!

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

View solution in original post

Thank you very much for explaining the difference and functionalities! So what I need is the Auth. Proxy as we just want to secure the VPN access.

As I understand the Auth. Proxy can check for AD group memberships just like our RADIUS is doing right now, is that correct? I suppose the Auth. Proxy will sync our AD groups to the DUO administration console? We still would keep the RADIUS for the wifi connections and as a backup if anything goes south.

Glad to help out!

 

  • I believe you are correct about the Auth Proxy checking the AD group membership, though I think that's based on what level of DUO you have.
  • Your AD groups will sync with the DUO admin console
  • You can keep RADIUS for the wifi and as a backup.

 

We demo'd DUO and I really like the product. Ultimately we ended up going with RSA.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Hi,

 

We have an MX64 and the Client VPN is set for authentication with Meraki cloud and the users setup.

 

I'm trying to set up 2FA via Duo Security but I have some questions:

 

1) I set up the DAP with the following config:

 

[radius_client]
host=X.X.X.X
secret=XXXXXXXXXXX

[radius_server_auto]
ikey=XXXXXXX
skey=XXXXXXXXXX
api_host=XXXXXXXXX
radius_ip_1=XXXXXXXX
radius_secret_1=XXXXXXXXX
client=radius_client
port=1812
failmode=safe

Am I missing configuration for Active Directory in order to authenticate? 

 

I've read this document regarding the RADIUS setup but I am confused when it comes to 'configuring RADIUS clients to use it for authentication'

 

https://duo.com/docs/radius

 

Currently, we have the windows 10 VPN tool setup to the Client VPN endpoint and the only authentication is the stored username and password. I am not sure how to point this endpoint to the DAP.

 

Any help will be greatly appreciated.

 

Fady
Meraki Employee

Hi viksep

 

You will need to configure the RADIUS server under [radius client] section then under [radius server auto] you will need to input the MX details to act as a client.

if you are running this DUO proxy on the same machine as your RADIUS server then please change the port of the proxy from 1812 because that is what I am assuming you are using for your RADIUS server already so DUO proxy has to listen to a different port to authentication users.

 

Please check my short video of the integration but note that I used direct integration with AD instead of RaDIUS but the concept is the same.

 

https://www.youtube.com/watch?v=0kmNsun48Wc&t=20s

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels