Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2676
Views
0
Helpful
5
Replies

Duo with Sonicwall SRA and Active Directory Groups

evan631
Level 1
Level 1

‎01-08-2018 02:07 PM

We are in the process of setting up our Duo 2FA environment.
Our main priority is to use Duo for our Sonicwall SRA SSL VPN.

We have configured Duo and the Sonicwall with a radius domain, and have setup the Duo proxy authenticator. This part tested successfully.

Here is our issue… we restrict VPN access based on Active Directory groups. We also restrict what servers/applications people have access to based on AD groups and Sonicwall policies as well.

We are now seeing this setup does not apply the AD groups.

Is there any way to get our AD groups to apply within the radius/duo setup? We were told to setup LDAP application in duo for the Sonicwall and duo, but that does not seem to resolve this issue.

Any other suggestions out there?

I am starting to think rather than using the Duo Proxy authenticator we need to have “real” radius server in our AD environment. Is this the only solution to our issue?

Thanks for the help!
-Evan

Labels:
0 Helpful
5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

‎01-09-2018 06:57 AM

Your SonicWALL should be able to query for LDAP group memberships via the Duo Authentication proxy.

Can you describe your setup a bit more? Are you using local group policies?

Duo, not DUO.
0 Helpful

evan631
Level 1
Level 1
In response to DuoKristina

‎01-09-2018 01:32 PM

What sort of info would you like on our setup?

We originally were using Radius setup with duo and sonic wall, but that did not bring over our Active Directory group membership that assign VPN access and what they can access.

We then switched it to LDAP authentication. Hoping it would use our Active Directory Groups.

The Group Memberships are setup in Active Directory.
We then have groups setup on the SonicWall SRA pointing to those Active directory groups, with policies restricting access.

The groups setup on the Sonicwall are setup for specific SonicWall domains. Our production domain is an Active Directory domain, however when we switch to to the LDAP setup for DUO it was configured as an LDAP domain.

I do not see any way to apply AD groups to an LDAP domain on the SonicWall.

Thanks again for your help again!

-Evan

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to evan631

‎01-09-2018 03:17 PM

Ah, I get it.

While the SRA doesn’t let you automatically associate LDAP groups with local groups, you can specify an LDAP attribute for the local group that will associate it with the AD group vis LDAP.

Take a look at the SonicWALL SMA guide here, specifically the memberof example in step 23 of the “Group Configuration for LDAP Authentication Domains” section.

Duo, not DUO.
0 Helpful

evan631
Level 1
Level 1
In response to DuoKristina

‎01-11-2018 05:52 AM

Great! That worked! Unfortunately SonicWall only lets you add 8 Base DNs in LDAP domains, that is not sufficient for us.

Looks like we may have to use NPS (Network Policy Server) in windows server roles. Is this possible using Duo, SonicWall SRA, and NPS?

Thanks again.

-Evan

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to evan631

‎01-11-2018 07:14 AM

Yes, you’d just switch from [ad_client] to [radius_client] and use your NPS server and the remote RADIUS host. You may also want to enable the [pass_through_all] option so that the list of groups returned by NPS gets passed all the way back through the Duo proxy.

Good luck an thanks for trying Duo!

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents