Our customer want to implement DUO to protect Cisco RA VPN solution. We are using local identity store (Cisco ISE and AD as a backend). Customer want to know which information exactly will be transmitted from Authentication proxy to the DUO cloud (i.e. only phone number or something else). Unfortunately I didn’t find any documentation about that.
Thanks in advance!
If you implement Duo using RADIUS or LDAP authentication then the
/auth POST requests in the Duo Auth API v1 documentation are a good reference for what information might potentially get sent to Duo during two-factor authentication via the Duo Authentication Proxy.
- IP address if available (when received as calling-station-id in a RADIUS packet)
- factor selection or passcode
Thank you for your response!
Could you please clarify one thing for me: I believe if we are using local Identity store we don’t need to store username/password pairs in the DUO cloud (that’s why we want to use local identity store), so in this case which username will be sent from DUO Authentication Proxy to DUO cloud?
Thanks in advance!
There actually is no way to store your user passwords in the Duo cloud service. Duo’s service never saves or even sees the primary login password in 2FA scenarios, and instead verifies credentials received against your on-premises identity store. (If you were to deploy Duo Single Sign-On with Active Directory authentication, then Duo’s cloud-hosted SSO service does take the password submitted at the login screen to verify against AD, but does not save or store it).
The username sent to Duo is generally going to be what the user submits for VPN login.
Example of a VPN that sends RADIUS requests to the Duo Authentication Proxy, and the Duo proxy is configured to use AD for primary auth and to send an automatic push to the user.
- user types in username “lee” and primary password at the VPN client
- VPN receives the user’s login request and sends a RADIUS request to the Duo proxy. The RADIUS packet contains the username, password, and calling-station-id attributes.
- The Duo proxy receives the radius requests and sends the username and password to the configured AD for verification.
- AD confirms the primary credentials back to the Duo proxy.
- The Duo proxy then starts 2FA and sends the preauth request to Duo’s service. This request contains the username from the login request, and the IP address from calling-station-id.
- The Duo proxy responds to preauth with the allowed factors for the user.
- The Duo proxy sends an auth request to Duo’s service, again sending the username and IP request from the login request plus the factor selection (auto)
- The user receives a Duo Push and approves it.
- Duo’s service receives the push approval and sends that approval to the Duo proxy.
- The Duo proxy returns a RADIUS accept to the VPN.
- The user is logged in to the VPN.
Thank you very much for response!