Duo with Sonicwall SRA and Active Directory Groups


#1

We are in the process of setting up our Duo 2FA environment.
Our main priority is to use Duo for our Sonicwall SRA SSL VPN.

We have configured Duo and the Sonicwall with a radius domain, and have setup the Duo proxy authenticator. This part tested successfully.

Here is our issue… we restrict VPN access based on Active Directory groups. We also restrict what servers/applications people have access to based on AD groups and Sonicwall policies as well.

We are now seeing this setup does not apply the AD groups.

Is there any way to get our AD groups to apply within the radius/duo setup? We were told to setup LDAP application in duo for the Sonicwall and duo, but that does not seem to resolve this issue.

Any other suggestions out there?

I am starting to think rather than using the Duo Proxy authenticator we need to have “real” radius server in our AD environment. Is this the only solution to our issue?

Thanks for the help!
-Evan


#2

Your SonicWALL should be able to query for LDAP group memberships via the Duo Authentication proxy.

Can you describe your setup a bit more? Are you using local group policies?


#3

What sort of info would you like on our setup?

We originally were using Radius setup with duo and sonic wall, but that did not bring over our Active Directory group membership that assign VPN access and what they can access.

We then switched it to LDAP authentication. Hoping it would use our Active Directory Groups.

The Group Memberships are setup in Active Directory.
We then have groups setup on the SonicWall SRA pointing to those Active directory groups, with policies restricting access.

The groups setup on the Sonicwall are setup for specific SonicWall domains. Our production domain is an Active Directory domain, however when we switch to to the LDAP setup for DUO it was configured as an LDAP domain.

I do not see any way to apply AD groups to an LDAP domain on the SonicWall.

Thanks again for your help again!

-Evan


#4

Ah, I get it.

While the SRA doesn’t let you automatically associate LDAP groups with local groups, you can specify an LDAP attribute for the local group that will associate it with the AD group vis LDAP.

Take a look at the SonicWALL SMA guide here, specifically the memberof example in step 23 of the “Group Configuration for LDAP Authentication Domains” section.


#5

Great! That worked! Unfortunately SonicWall only lets you add 8 Base DNs in LDAP domains, that is not sufficient for us.

Looks like we may have to use NPS (Network Policy Server) in windows server roles. Is this possible using Duo, SonicWall SRA, and NPS?

Thanks again.

-Evan


#6

Yes, you’d just switch from [ad_client] to [radius_client] and use your NPS server and the remote RADIUS host. You may also want to enable the [pass_through_all] option so that the list of groups returned by NPS gets passed all the way back through the Duo proxy.

Good luck an thanks for trying Duo!