cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1617
Views
0
Helpful
2
Replies

Duo to handle secondary authentication

nischit123aryal
Level 1
Level 1

Hi,

I have an SSL VPN device with users locally configured on it. I want the primary authentication to be from the users locally created on my SSL VPN device (checkpoint firewall) and the secondary authentication to be Duo. I have deployed Duo Authentication Proxy and the config file looks like:

[duo_only_client]

[radius_server_auto]
ikey=
skey=
api_host=
radius_ip_1=x.x.x.x
radius_secret_1=password
client=duo_only_client
port=1812

The traffic flow:

SSL VPN users connect to Gateway (Checkpoint) > Primary authentication using locally created users > Secondary authentication Radius server pointed to Duo.

Is this the correct way of doing? If yes, how will the user/pwd entered by a client as a part of primary authentication be known to Duo and how will it verify against that username in the Duo Security cloud?

In this case, Duo is not working as a radius client or ad client.

2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

That is how it would work for a device that supported chained authenticators with conditional progress (if auth source #1 succeeds, require auth source #2 success).

However, I am not sure that this is possible in Check Point Mobile Access, since you can only select one authentication method per security gateway, and I don’t think you can specify your own RADIUS authenticator as a source for DynamicID.

If you can get that working please come back here and let us know!

Duo, not DUO.

Thank you for the response. It looks like the DynamicID is supported for all Mobile Access and IPsec VPN clients. I will try this out and will let you know if I succeed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links