@DuoKristina: I read though all the posts and linked documents on this invaluable topic. I did not know we would need to stand up an NPS server! Is an NPS server required only if we need to specify AD groups on the Watchguard’s Authorized Users and Groups list? It’s no problem for us to enter only individual users.
Here’s where we stand currently:
1 – I recently got Duo Authentication for Windows Logon and RDP up and running, using the Duo Authentication Proxy. Next we want to add Duo 2FA to our VPN.
2 – We are using Watchguard SSL VPN, with the Watchguard using our on-premise Active Directory to authenticate VPN users.
3- I have configured the Duo Authentication Proxy cfg file with [radius_server_auto] and [ad_client] sections. I’m using a RADIUS server testing tool (NTRadPing 1.5), pointed to the Duo Authentication Proxy, and it seems to be working fine with Duo 2FA - the RADIUS testing tool gets back access-success and access-reject responses from the Duo Authentication Proxy depending on whether I approve or deny on the Duo App.
Until I saw this topic, I thought all the was left for us to do is switch our Watchguard from AD authentication to RADIUS authentication using the Duo Authentication Proxy.