cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2286
Views
1
Helpful
13
Replies

Meraki Client VPN and DUO for 2fa

tantony
Level 1
Level 1

Anyone here familiar with using DUO for 2fa for Meraki Client VPN? Currently user are authenticated via AD for VPN using RADIUS. My AD servers are both Windows Server 2008, but I think I think if I want to use DUO I have to use at least Windows Server 2012 or later?

13 Replies 13

DuoPablo
Cisco Employee
Cisco Employee

Hi @tantony ,

If using a RADIUS integration method, you will need to deploy a Duo Authentication Proxy, which is (at minimum) supported on Windows Server 2012. The OS version of your domain controllers should not matter to Duo.

While the Auth Proxy may run on Windows Server 2008 (which might largely depend on the version/release you choose to deploy), it cannot be supported via Duo Technical Support.

Please see Knowledge Base | Duo Security

Hope this helps!

tantony
Level 1
Level 1

Hi @DuoPablo

Thanks for the reply. In the Meraki Dashboard, I’m using RADIUS authentication method. The 2 RADIUS servers are my DCs. I understand to deploy the Duo Authentication Proxy, I need at least a Windows Server 2012 or later. I have a Windows Server 2019, so I’ll deploy the Proxy on it. I also understand I can use my current Windows Server 2008.

I didn’t get a chance to read Duo documentation yet, but how does this work? Once I install the Duo Proxy server, do I add that server in my Meraki Dashboard and remove my current DCs?

I’m using port 1812 (for NPS, Network Policy Server) now, so when I install the proxy server, I can may be use port 1912? So once the user enters their AD username and password, and if its correct, they need to go through a push or text notification from the Duo app on their smart phone to get connected to VPN?

Hi @tantony, Correct, you’ll point your MX to the IP of the Duo Auth Proxy server, and the port listed is just for the communications from your MX to the Proxy (so it won’t matter if you are using 1812 for another service on your DCs) - The MX sends the request to the proxy, the proxy validates the AD creds and if they are correct sends out a push request to your Duo cloud App API and down to the user, once they approve the auth proxy sends the success message to the MX and your user is in. The Duo Auth Proxy service is very lightweight and it’s recommended to have at least 2 auth proxies for redundancy… (once you’ve configured the first one you could probably deploy a 2nd in ~15 minutes)

tantony
Level 1
Level 1

@Sheridan_Palmer

Thank you. According to the documentation, it looks like I can also install the proxy server on an Ubuntu OS. I already have a laptop running Ubuntu to test. How does Duo app know the phone numbers of the users? Do I enter the user’s phone number under the ‘Telephones’ tab in AD for each user?

If yes, if a user changes phone number, just update that in AD?

@tantony ,

You may choose to sync phone numbers as part of your Directory Sync.

Otherwise, during enrollment the user will be able to specify the phone number they wish to use for Duo MFA.

tantony
Level 1
Level 1

@DuoPablo , @Sheridan_Palmer

Thank you. I think I’ll try the Ubuntu install. I have about 50 users in my company. How can I find out about licensing and price?

I’m back from my trip, so I installed the Duo Proxy Server on a Windows Server 2019. I need to adjust the authproxy.cfg file. Can you put me in touch with my local sales rep?

I’m in Baltimore MD.

I have a question about the authproxy_passwd.exe program. I opened the program from command prompt, and I typed in the password that I want to use, and I got output with a bunch of characters. Where do I copy and paste that into the authproxy.cfg?

Do I create a [main] section? then under that secret_protected?

Like this?

[main]
debug=true
log_max_files = 10
log_max_size=20971520
secret_protected=PUT THE OUTPUT CHARACTERS HERE IN ONE LINE

tantony
Level 1
Level 1

I found this post, although its for Linux. But it looks like I put that under service_account_password_protected

Is this correct?

[main]
debug=true
log_max_files = 50
log_max_size=20971520
service_account_password_protected=THE OUTPUT FROM COMMAND PROMPT

@DuoPablo , @Sheridan_Palmer

Please see my post. I’m trying to edit the file and test it before my vacation.

tantony
Level 1
Level 1

Anybody? Is Duo closed?

Hello @tantony,

You may find all info about password encryption here: Duo Authentication Proxy Reference.

HTH
Antony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links