cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
0
Helpful
2
Replies

Duo auth and Active Directory

Oneel
Level 1
Level 1

Hello,

I install Active Directory host an Debian server which works fine (I can join clients to the domain).
I configure a Duo proxy with LDAP and the connectivity tools tell me everythings is fine.
Now I want to join my device to my new domain and use MFA with Duo.

Is it possible? How to ask clients to connect Duo proxy and not directly my AD DC?

PS: I don’t want to use Duo AD sync.

Thanks for your help

2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

Hi Oneel,

Device join to domain through Samba against the Duo Authentication Proxy’s LDAP server isn’t supported.

To protect Windows AD clients with 2FA, install Duo Authentication for Windows Logon.

Duo, not DUO.

mpaine1
Level 1
Level 1

You can set your client devices to authenticate against Radius and configure your AuthProxy to be a radius server. AuthProxy would then do a lookup against AD to see if the primary credentials are correct then pass you off to Duo for MFA.

Radius authentication for Linux HowTo: Configuring Radius Authentication on Linux | Mike Dixson

You would add an Application to protect in Duo Console “Radius” and make a note of it’s ikey, skey and api-k=host)

In your AuthProxy config you would need 2 sections added:

[ad_client]
host=x.x.x.x
host_2=x.x.x.x
;host_3=x.x.x.x
;host_4=x.x.x.x
service_account_username=
service_account_password=
search_dn=DC=,DC=
port=3268
timeout=30
; Uncomment the next line to force usernames to the format of user@domain / email address
;username_attribute=userprinciplename

[radius_server_auto]
ikey=*********************
skey=**********************************
api_host=************************
client=ad_client
radius_ip_1=x.x.x.x
radius_secret_1=this_is_your_radius_secret
port=1812
timeout=30

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links