Integrate Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance)?


#1

Hello guys,

I am in a position where I am unable to find a solution to rollout Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance). I called Duo Support and they provided me the 2 solutions, using Proxy LDAP or Radius authentication. I reviewed the VMware documentation and found out these 2 methods are not supported by VMware. https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-ACFFCBEC-6C1C-4BF9-9971-04AEE9362AFE.html

I am writing this post in the hope that anyone out there can share some light into this problem? I am sure someone have already tried to implement DUO with their VMware environment already. What is your solution and how do you please?

Thanks,
T.


#2

While you’re right that VMWare removed support for other RADIUS two-factor providers in vSphere (gotta love corporate synergy), LDAP authentication is still supported.

With that said, we don’t recommend or support Duo MFA with vCenter SSO because we found that in some vCenter configurations it’s trivially easy to bypass two-factor.

Thanks for trying Duo!


#3

The vCenter SSO “Use Windows session authentication” does not apply to us because we use a different superadmin account with Domain Admins access to login into vCenter instead of our regular normal login account.

I got the LDAP authentication working with DUO. However, I cannot get the DUO login screen to come up so that I can choose to “Send a Push, Call me, or Enter a passcode” or choose Hardware tokens as the MFA method to login. With that said, as soon as I enter my username and password, click login, I immediately get the Duo Push notification on my phone right away. It didn’t let me choose if I can use my hardware token to login. This will be an issue when we don’t have access to our phone or if the phone run out of battery. Is there away that I can get the Duo login screen to come up when using LDAP authentication please?

Thanks,
T.


#4

Sorry, there is no way to show the interactive, browser-based Duo Prompt in your configuration. The [ldap_server_auto] configuration implies exactly that: it defaults to automatic Duo auth request during ldap auth.

You can find a full explanation of which Duo factor types may be used with the Authentication Proxy’s LDAP server config in our LDAP application documentation.


#5

Thanks Kristina. In that case, do we have a workaround so the situation when my phone battery is out and I have the hardware token with me… ?


#6

Excerpt from linked documentation (emphasis mine):

When you enter your username and password, you will receive an automatic push or phone callback. Alternatively you can add a comma (",") to the end of your password, followed by a Duo passcode.

So, use the token passcode as your Duo passcode.

It’s also a good idea to have more than one device enrolled in Duo as a backup, like a landline or Google Voice number. Then you’d specify the other phone with password,phone2.


#7

This alternative work-around works. Thanks!


#8

Can you comment more on the nature of the bypass ability/support for venter SSO or is that a support case type conversation? I don’t see a public kb/statement on the issues.


#9
  1. You configure LDAP auth with vCenter pointing to the Duo Authentication Proxy.
  2. Users on Windows workstations may use integrated/SSPI authentication to sign into vCenter (the “Use Windows session authentication” option TheZealous mentioned earlier in this thread).
  3. Integrated/SSPI logins aren’t using the vCenter’s Duo LDAP authenticator, so they don’t get 2FA.

This doesn’t apply if you’re in an environment where nobody can sign into vCenter with Windows pass-through creds.