Duo auth and Active Directory

Hello,

I install Active Directory host an Debian server which works fine (I can join clients to the domain).
I configure a Duo proxy with LDAP and the connectivity tools tell me everythings is fine.
Now I want to join my device to my new domain and use MFA with Duo.

Is it possible? How to ask clients to connect Duo proxy and not directly my AD DC?

PS: I don’t want to use Duo AD sync.

Thanks for your help

Hi Oneel,

Device join to domain through Samba against the Duo Authentication Proxy’s LDAP server isn’t supported.

To protect Windows AD clients with 2FA, install Duo Authentication for Windows Logon.

You can set your client devices to authenticate against Radius and configure your AuthProxy to be a radius server. AuthProxy would then do a lookup against AD to see if the primary credentials are correct then pass you off to Duo for MFA.

Radius authentication for Linux HowTo: Configuring Radius Authentication on Linux | Mike Dixson

You would add an Application to protect in Duo Console “Radius” and make a note of it’s ikey, skey and api-k=host)

In your AuthProxy config you would need 2 sections added:

[ad_client]
host=x.x.x.x
host_2=x.x.x.x
;host_3=x.x.x.x
;host_4=x.x.x.x
service_account_username=
service_account_password=
search_dn=DC=,DC=
port=3268
timeout=30
; Uncomment the next line to force usernames to the format of user@domain / email address
;username_attribute=userprinciplename

[radius_server_auto]
ikey=*********************
skey=**********************************
api_host=************************
client=ad_client
radius_ip_1=x.x.x.x
radius_secret_1=this_is_your_radius_secret
port=1812
timeout=30