Duo with Fortigate, Cisco FTD and Switches

Hello,

Can anyone advice how to configure Duo to protect administrators logins on Fortigate and FTD Firewall ?
Also for the Switches SSH Access?

Hi Ah15, Welcome to the Duo community.

This is possible using the RADIUS protection if these devices support RADIUS authentication for those services.

We do not have a named integration for this, as Duo has not tested protecting this for all devices however it should work.

We do have generic RADIUS documentation that can be used to set up the protection with the Duo Authentication proxy.

Please see the step by step guide below for further details.

The authentication flow will look like this:
Networking device - > Duo Authentication proxy → your RADIUS or AD server.

If you use your RADIUS server you will use the [radius_cleint]
If you use AD you will use [ad_client]

Many switches and other devices sometimes require RADIUS attributes to be sent to set privilege or access levels.
If this is the case, you will need to use a [radius_client] with NPS as your RADIUS server and NPS providing the RADIUS attributes required to be passed.

The proxy is a proxy and not a standalone RADIUS server with a user/password/attribute database.
The proxy can be configured to pass all Radius attribute parameters send by your RADIUS server behind the proxy processing the primary authentications.
This configuration change will be required for both the RADIUS_server_auto section as well as the radius_client section in the proxy.

You can find the optional parameters for both in the documentations below:

Your final configuration should look something like the below, with the optional parameters in bold.

[radius_client]
host=1.2.3.4
secret=radiusclientsecret
pass_through_all=true

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Please also find the proxy reference below;

Please see the article below for further details on configuring the proxy as a client of NPS if you choose to use a [radius_client] section:
https://help.duo.com/s/article/4785

Please also note that the proxy and your RADIUS server (i.e. NPS), should not be listening on the same port if both exist on the same host.
I would set the proxy server section to port 18120 and your radius server to port 1812 to ensure there is no port conflict if this is the case.

1 Like

Thanks for sharing great information.

1 Like