Can Duo 2FA be integrated with anything that allows RADIUS authentication?


#1

Hi all,

I would like to know if I can use Duo 2FA with anything that has the option for RADIUS authentication.
I am trying to setup a Captive Portal for UniFi wireless, and they allow Radius authentication.
I was wondering if I can create a RADIUS server on windows server, and setup Duo on it. If this works, Duo will work with a lot of my applications that do not directly have an option to use with Duo.
Or Duo will only work with applications mentioned in the Application section on the Duo Portal.
I use Duo 2FA with pfsense firewall through FreeRADIUS service in pfsense, and they are not listed in the application section.


#2

Usually! There are a few corner-case limitations in our RADIUS support but most customers find they’re able to get a variety of RADIUS devices working through the Duo Authentication Proxy.

Take a look at our generic RADIUS instructions to start (this is the same document linked as “Other VPNs - Try our RADIUS application” from the main docs page). Then review the Authentication Proxy reference for a deep dive into all the possibilities for RADIUS.

Since you mention wanting to protect wifi, this may fall under one of our corner cases. Our EAP support in the proxy is limited to EAP-GTC. We do support MS-CHAPv2 though, as long as the upstream authentication server is RADIUS (and if you’re using FreeRADIUS then you’re set).


#3

Kristina, this is fantastic news!!
I am sure more people will be compelled to integrate with Duo once they know the capabilities that can be extended with RADIUS.
I request you to create a step by step instructional video on how to setup RADIUS on a server, and setup Duo on it.
Most forums I have checked about DUO, people say its extremely complicated to integrate. I think we need more education, and youtube videos can open up a huge market for you.
Trust me when i say this… there is a lot of lack of understanding around DUO and its integration.

Today anyone can pick up vmware, and install vcenter or esxi with HA/Replication just because there are tons and tons of youtube vidoes on this subject. Duo has some, but requires a lot more.


#4

Thanks for the ideas and for using Duo!

ETA: We do have quite a bit of video content on YouTube (https://www.youtube.com/user/duosec) and linked from our documentation and product pages

We do usually assume someone already has their primary authentication in place, and just need to add Duo for secondary auth. That’s why we don’t explicitly instruct anyone in setting up primary auth from scratch.


#5

@Kristina, thanks. I have installed Duo Proxy Server on a Windows Server 2019 in a Virtual Machine. I have Duo integrated with Local AD users for 2FA, apart from that, I have DUO integration with OpenVPN. And everything is working very well.
Does it mean I dont need to install a separate instance of RADIUS on windows/linux server?

Any place where there is an option for RADIUS based authentication, and is asking for RADIUS server IP address, can i use the IP address for the server on which i have Duo Authentication Proxy installed?

For eg:- I have this option in my UniFi AP’s control page.


#6


#7

For anything you want to point to the Duo proxy, create a [radius_server_whatever] section with the IP of the device that will send requests to it and the shared secret, and then point the device to the authentication proxy IP address and port and use the same secret. The Duo proxy server will take the incoming request, perform primary authentication at an upstream AD or RADIUS server, and once that succeeds perform 2FA.

This process is shown in the generic RADIUS instructions for RADIUS automatic push. Other RADIUS server configurations are shown in the reference.