So we have an MX product and have 2FA setup via Duo Security. The MX client vpn points to the Duo Authentication Proxy which is setup to receive the RADIUS communication from the MX, then communicates with AD via LDAPS. Users login with their AD username/password and get a push notification to their phones via the Duo app. There are a few users who refuse to use their personal phone for work in any way which is fine so we have provided them with OTP fobs. They login with the same username but for password they do "ADpassword,OTP" The Duo Authentication Proxy strips out the OTP and sends the rest to AD for authentication (i have no idea how it'd handle a password with a comma in it, maybe see it's no a 6 digit pin after?). For self enrollment we have the Duo Access Gateway setup as our SSO solution which allows for self enrollment. Hope this helps clear up how a 2fa solution would interact with Meraki.
... View more
