Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
2
Helpful
2
Replies

Duo with Fortigate, Cisco FTD and Switches

Go to solution
Ah15
Level 1
Level 1

‎03-01-2023 02:48 AM

Hello,

Can anyone advice how to configure Duo to protect administrators logins on Fortigate and FTD Firewall ?
Also for the Switches SSH Access?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raphka
Cisco Employee
Cisco Employee

‎03-04-2023 01:43 PM

Hi Ah15, Welcome to the Duo community.

This is possible using the RADIUS protection if these devices support RADIUS authentication for those services.

We do not have a named integration for this, as Duo has not tested protecting this for all devices however it should work.

We do have generic RADIUS documentation that can be used to set up the protection with the Duo Authentication proxy.

Please see the step by step guide below for further details.

The authentication flow will look like this:
Networking device - > Duo Authentication proxy → your RADIUS or AD server.

If you use your RADIUS server you will use the [radius_cleint]
If you use AD you will use [ad_client]

Many switches and other devices sometimes require RADIUS attributes to be sent to set privilege or access levels.
If this is the case, you will need to use a [radius_client] with NPS as your RADIUS server and NPS providing the RADIUS attributes required to be passed.

The proxy is a proxy and not a standalone RADIUS server with a user/password/attribute database.
The proxy can be configured to pass all Radius attribute parameters send by your RADIUS server behind the proxy processing the primary authentications.
This configuration change will be required for both the RADIUS_server_auto section as well as the radius_client section in the proxy.

You can find the optional parameters for both in the documentations below:

Your final configuration should look something like the below, with the optional parameters in bold.

[radius_client]
host=1.2.3.4
secret=radiusclientsecret
pass_through_all=true

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Please also find the proxy reference below;

Please see the article below for further details on configuring the proxy as a client of NPS if you choose to use a [radius_client] section:
https://help.duo.com/s/article/4785

Please also note that the proxy and your RADIUS server (i.e. NPS), should not be listening on the same port if both exist on the same host.
I would set the proxy server section to port 18120 and your radius server to port 1812 to ensure there is no port conflict if this is the case.

View solution in original post

2 Replies 2

Go to solution
raphka
Cisco Employee
Cisco Employee

‎03-04-2023 01:43 PM

Hi Ah15, Welcome to the Duo community.

This is possible using the RADIUS protection if these devices support RADIUS authentication for those services.

We do not have a named integration for this, as Duo has not tested protecting this for all devices however it should work.

We do have generic RADIUS documentation that can be used to set up the protection with the Duo Authentication proxy.

Please see the step by step guide below for further details.

The authentication flow will look like this:
Networking device - > Duo Authentication proxy → your RADIUS or AD server.

If you use your RADIUS server you will use the [radius_cleint]
If you use AD you will use [ad_client]

Many switches and other devices sometimes require RADIUS attributes to be sent to set privilege or access levels.
If this is the case, you will need to use a [radius_client] with NPS as your RADIUS server and NPS providing the RADIUS attributes required to be passed.

The proxy is a proxy and not a standalone RADIUS server with a user/password/attribute database.
The proxy can be configured to pass all Radius attribute parameters send by your RADIUS server behind the proxy processing the primary authentications.
This configuration change will be required for both the RADIUS_server_auto section as well as the radius_client section in the proxy.

You can find the optional parameters for both in the documentations below:

Your final configuration should look something like the below, with the optional parameters in bold.

[radius_client]
host=1.2.3.4
secret=radiusclientsecret
pass_through_all=true

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Please also find the proxy reference below;

Please see the article below for further details on configuring the proxy as a client of NPS if you choose to use a [radius_client] section:
https://help.duo.com/s/article/4785

Please also note that the proxy and your RADIUS server (i.e. NPS), should not be listening on the same port if both exist on the same host.
I would set the proxy server section to port 18120 and your radius server to port 1812 to ensure there is no port conflict if this is the case.

Go to solution
jospehmack
Level 1
Level 1
In response to raphka

‎03-07-2023 12:27 AM

Thanks for sharing great information.

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents