SonicWALL TZ + Duo + ActiveDirectory/LDAP?

Hi there,

I’m having a heck of a time figuring out how to integrate Duo with SonicWall TZ SSL-VPN logins. I understand I’m supposed to follow the instructions in the generic RADIUS guide Two-Factor Authentication Using RADIUS | Duo Security however in our implementation user logins are validated against Active Directory via LDAP, and as I understand it doing RADIUS would just mess things up.

Obviously I don’t understand this very well and when I searched these forums I found a few others that may have implemented the same thing.

This help article https://help.duo.com/s/article/4500?language=en_US says the user authentication method needs to be RADIUS (currently ours is set to “Local Users + LDAP”). So that’s one source of confusion.

I also read through the authproxy reference guide Duo Authentication Proxy Reference | Duo Security for configuring the Authentication Proxy for RADIUS, but I don’t quite understand this.

Some clear consise steps would be most appreciated. I hope I provided enough information.

What you would be doing is replacing your current LDAP authentication method on the TZ with a new RADIUS authenticator, which points to the [radius_server_auto] configuration section on your new Duo Authentication Proxy server.

The Duo proxy server in turn points to your current LDAP server (this is the [ad_client] configuration section).

When a user logs into the TZ, the TZ forwards the authentication request to the Duo Authentication Proxy server using RADIUS. The Duo server verifies the user’s LDAP credential against your LDAP server, and if that’s successful it contacts Duo’s cloud service to send the 2FA request to the user. Once the user approves the Duo request, the approval is returned back to the TZ from Duo’s service via the Duo proxy server.

That help article isn’t very useful, as it doesn’t give any information about how to add Duo as a RADIUS server. I can pass on that feedback.

Configuring RADIUS authentication is described starting on page 1519 of the SonicOS 6.2 manual here. We don’t have documented Duo instructions for the TZ admin interface, but if you take a look at our Sonicwall SRA/SMA+RADIUS auto instructions they will give you an idea of the steps you’d need to take on the TZ (1. Add the Duo proxy as a RADIUS server. 2. Update the SSL VON config to use the new Duo RADIUS server.).

If you would like to continue using LDAP authentication on your TZ you can do so. You still use the Duo Authentication Proxy, but configure it as an LDAP server that in turn points to your existing LDAP server. You would replace your current LDAP server on the TZ with the Duo proxy. See our LDAP instructions for more information.

Thank you for the detailed information! I have another question. I already have Duo setup for the domain for Microsoft RDP (to protect local and remote Windows logins) thus on one of my servers I have the Duo Authentication Proxy setup and it is doing Active Directory Sync. In the authproxy.cfg file, only one section exists which is [cloud]. I followed these instructions for that setup: https://duo.com/docs/syncing_users_from_active_directory#duo-authentication-proxy

If I want to integrate Duo with SonicWALL SSL-VPN logins using NetExtender, how would I go about modifying my authproxy.cfg file to achieve both protected applications? According to the LDAP instructions, I’m supposed to use [ad_client] to have Active Directory as my primary authenticator, but wouldn’t that break directory sync?

I appreciate your support!

You can use your existing Duo proxy server and append the TZ config to the [cloud] config you have in place. Your authproxy.cfg file would wind up looking something like this:

ikey=(the integration key for your AD sync)
skey=(the secret key for your AD sync)
host=(your Duo API hostname)

[ad_client]
host=(the IP or hostname of your AD DC or whatever the TX uses for auth now without Duo)
service_account_username=(some account in the AD domain that can look up users)
service_account_password=(that service account's password)
search_dn=(your AD domain tree like DC=example,DC=com)

[radius_server_auto]
client=ad_client
ikey=(the integration key for your RADIUS Duo app)
skey=(the secret key for your RADIUS Duo app)
host=(your Duo API hostname)
radius_ip_1=(the IP address of your TZ)
radius_secret_1=(a shared secret you will enter on the TZ when you add the Duo RADIUS server)
port=1812

This article might help: https://help.duo.com/s/article/1124