Anyone here familiar with using DUO for 2fa for Meraki Client VPN? Currently user are authenticated via AD for VPN using RADIUS. My AD servers are both Windows Server 2008, but I think I think if I want to use DUO I have to use at least Windows Server 2012 or later?
Hi @tantony ,
If using a RADIUS integration method, you will need to deploy a Duo Authentication Proxy, which is (at minimum) supported on Windows Server 2012. The OS version of your domain controllers should not matter to Duo.
Please see Knowledge Base | Duo Security
Hope this helps!
Thanks for the reply. In the Meraki Dashboard, I’m using RADIUS authentication method. The 2 RADIUS servers are my DCs. I understand to deploy the Duo Authentication Proxy, I need at least a Windows Server 2012 or later. I have a Windows Server 2019, so I’ll deploy the Proxy on it. I also understand I can use my current Windows Server 2008.
I didn’t get a chance to read Duo documentation yet, but how does this work? Once I install the Duo Proxy server, do I add that server in my Meraki Dashboard and remove my current DCs?
I’m using port 1812 (for NPS, Network Policy Server) now, so when I install the proxy server, I can may be use port 1912? So once the user enters their AD username and password, and if its correct, they need to go through a push or text notification from the Duo app on their smart phone to get connected to VPN?
Hi @tantony, Correct, you’ll point your MX to the IP of the Duo Auth Proxy server, and the port listed is just for the communications from your MX to the Proxy (so it won’t matter if you are using 1812 for another service on your DCs) - The MX sends the request to the proxy, the proxy validates the AD creds and if they are correct sends out a push request to your Duo cloud App API and down to the user, once they approve the auth proxy sends the success message to the MX and your user is in. The Duo Auth Proxy service is very lightweight and it’s recommended to have at least 2 auth proxies for redundancy… (once you’ve configured the first one you could probably deploy a 2nd in ~15 minutes)
Thank you. According to the documentation, it looks like I can also install the proxy server on an Ubuntu OS. I already have a laptop running Ubuntu to test. How does Duo app know the phone numbers of the users? Do I enter the user’s phone number under the ‘Telephones’ tab in AD for each user?
If yes, if a user changes phone number, just update that in AD?
You may choose to sync phone numbers as part of your Directory Sync.
Otherwise, during enrollment the user will be able to specify the phone number they wish to use for Duo MFA.
Thank you. I think I’ll try the Ubuntu install. I have about 50 users in my company. How can I find out about licensing and price?
I’m back from my trip, so I installed the Duo Proxy Server on a Windows Server 2019. I need to adjust the authproxy.cfg file. Can you put me in touch with my local sales rep?
I’m in Baltimore MD.
I have a question about the authproxy_passwd.exe program. I opened the program from command prompt, and I typed in the password that I want to use, and I got output with a bunch of characters. Where do I copy and paste that into the authproxy.cfg?
Do I create a [main] section? then under that secret_protected?
log_max_files = 10
secret_protected=PUT THE OUTPUT CHARACTERS HERE IN ONE LINE
I found this post, although its for Linux. But it looks like I put that under service_account_password_protected
Is this correct?
log_max_files = 50
service_account_password_protected=THE OUTPUT FROM COMMAND PROMPT
Please see my post. I’m trying to edit the file and test it before my vacation.
Anybody? Is Duo closed?