Duo for ssl vpn & 2fa

Hello All,

We have a fortinet based ssl vpn with Cisco ACS as the radius server fetching attributes from AD.
To enable 2FA, in the authproxy.cfg file should the entries include both fortinet device & Cisco acs?
As also, where is the best place to check on logs for verification. Duo is on a windows machine .
Please help. Thank you.

I’m not the best one to answer, but here goes. It depends. We were not currently using a radius server, so we just used the duo auth proxy to ‘look’ like one, and it can do both the AD verification and 2FA of course. It is limited to what it can do with AD, but it can check for membership in an AD group, and a few other things I seem to recall. If you are using your Cisco ACS for other radius-type things (accounting/logging) or requiring specific attributes, then I would think you’d want to define/use the ‘radius_client’ for the initial auth. The docs are your friend. Duo Authentication Proxy Reference | Duo Security