Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
3
Helpful
4
Replies

Information transmitted between Auth Proxy and DUO Cloud

Go to solution
m.va.levin
Level 1
Level 1

‎01-25-2022 01:05 PM

Hey guys,

Our customer want to implement DUO to protect Cisco RA VPN solution. We are using local identity store (Cisco ISE and AD as a backend). Customer want to know which information exactly will be transmitted from Authentication proxy to the DUO cloud (i.e. only phone number or something else). Unfortunately I didn’t find any documentation about that.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to m.va.levin

‎01-26-2022 07:12 AM

There actually is no way to store your user passwords in the Duo cloud service. Duo’s service never saves or even sees the primary login password in 2FA scenarios, and instead verifies credentials received against your on-premises identity store. (If you were to deploy Duo Single Sign-On with Active Directory authentication, then Duo’s cloud-hosted SSO service does take the password submitted at the login screen to verify against AD, but does not save or store it).

The username sent to Duo is generally going to be what the user submits for VPN login.

Example of a VPN that sends RADIUS requests to the Duo Authentication Proxy, and the Duo proxy is configured to use AD for primary auth and to send an automatic push to the user.

  1. user types in username “lee” and primary password at the VPN client
  2. VPN receives the user’s login request and sends a RADIUS request to the Duo proxy. The RADIUS packet contains the username, password, and calling-station-id attributes.
  3. The Duo proxy receives the radius requests and sends the username and password to the configured AD for verification.
  4. AD confirms the primary credentials back to the Duo proxy.
  5. The Duo proxy then starts 2FA and sends the preauth request to Duo’s service. This request contains the username from the login request, and the IP address from calling-station-id.
  6. The Duo proxy responds to preauth with the allowed factors for the user.
  7. The Duo proxy sends an auth request to Duo’s service, again sending the username and IP request from the login request plus the factor selection (auto)
  8. The user receives a Duo Push and approves it.
  9. Duo’s service receives the push approval and sends that approval to the Duo proxy.
  10. The Duo proxy returns a RADIUS accept to the VPN.
  11. The user is logged in to the VPN.
Duo, not DUO.

View solution in original post

4 Replies 4

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎01-25-2022 02:32 PM

If you implement Duo using RADIUS or LDAP authentication then the /preauth and /auth POST requests in the Duo Auth API v1 documentation are a good reference for what information might potentially get sent to Duo during two-factor authentication via the Duo Authentication Proxy.

  • username
  • IP address if available (when received as calling-station-id in a RADIUS packet)
  • factor selection or passcode
Duo, not DUO.

Go to solution
m.va.levin
Level 1
Level 1
In response to DuoKristina

‎01-26-2022 12:38 AM

Thank you for your response!

Could you please clarify one thing for me: I believe if we are using local Identity store we don’t need to store username/password pairs in the DUO cloud (that’s why we want to use local identity store), so in this case which username will be sent from DUO Authentication Proxy to DUO cloud?

Thanks in advance!

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to m.va.levin

‎01-26-2022 07:12 AM

There actually is no way to store your user passwords in the Duo cloud service. Duo’s service never saves or even sees the primary login password in 2FA scenarios, and instead verifies credentials received against your on-premises identity store. (If you were to deploy Duo Single Sign-On with Active Directory authentication, then Duo’s cloud-hosted SSO service does take the password submitted at the login screen to verify against AD, but does not save or store it).

The username sent to Duo is generally going to be what the user submits for VPN login.

Example of a VPN that sends RADIUS requests to the Duo Authentication Proxy, and the Duo proxy is configured to use AD for primary auth and to send an automatic push to the user.

  1. user types in username “lee” and primary password at the VPN client
  2. VPN receives the user’s login request and sends a RADIUS request to the Duo proxy. The RADIUS packet contains the username, password, and calling-station-id attributes.
  3. The Duo proxy receives the radius requests and sends the username and password to the configured AD for verification.
  4. AD confirms the primary credentials back to the Duo proxy.
  5. The Duo proxy then starts 2FA and sends the preauth request to Duo’s service. This request contains the username from the login request, and the IP address from calling-station-id.
  6. The Duo proxy responds to preauth with the allowed factors for the user.
  7. The Duo proxy sends an auth request to Duo’s service, again sending the username and IP request from the login request plus the factor selection (auto)
  8. The user receives a Duo Push and approves it.
  9. Duo’s service receives the push approval and sends that approval to the Duo proxy.
  10. The Duo proxy returns a RADIUS accept to the VPN.
  11. The user is logged in to the VPN.
Duo, not DUO.

Go to solution
m.va.levin
Level 1
Level 1
In response to DuoKristina

‎01-26-2022 08:46 AM

Thank you very much for response!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents