Sophos UTM - Without AD or RADIUS


#1

Below is a quote from: Duo integrates with your Sophos UTM

“This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”

How???

Maybe I overlooked something but the instructions on that page show how to use Duo with an external AD or RADIUS server. How can I make the Duo proxy server also acts as a RADIUS server?

Basically, have the Sophos UTM still handle authentication but also require Duo push in order to login to the user portal, web admin and SSL VPN.

UPDATE: Now I realize why I can’t do what I want. Sophos only has the following options for user authentication: Local, None and Remote.

Tell me if I’m wrong… Someone should probably remove that line I quoted from the Duo doc or add more details. That statement led me to waste time figuring out that, "yes, I can use Duo proxy without a separate RADIUS server, but both Sophos and Duo authenticate users without need of a password.


#2

The Duo Authentication Proxy is your remote RADIUS server, so when you are done your deployment may look like…

UTM > Duo Authentication Proxy (RADIUS) > AD (LDAP)

or

UTM > Duo Authentication Proxy (RADIUS) > NPS or another upstream RADIUS server.

Basically, you point the Duo proxy at your primary authentication store, and you point the UTM at the Duo proxy. The Duo server verifies primary auth success and then adds 2FA.

If a device supports chained or secondary authentication, it’s possible to keep whatever primary authentication configuration currently in use intact and add Duo only for secondary authentication. However, I believe UTM doesn’t support local auth followed by remote auth for secondary, only local OR remote.


#3

Thank you for responding. I was able to get it working with NPS.

I still think the statement below should be reworded or a notation should be added to the documentation because it is ambiguous and unintentionally misleading.

“This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”


#4

In the vast majority of Duo Authentication Proxy installations for devices and services using RADIUS this is a true statement; there is no need to deploy a second RADIUS server in addition to the Duo Authentication Proxy server that handles RADIUS requests. The Duo Authentication proxy acts as a client to an upstream existing LDAP or RADIUS primary authentication service, and itself acts as a RADIUS or LDAP server to devices or applications.

The majority of our VPN customers already have an external authentication service in use, and now they want to add Duo 2FA to these logins. That’s why the instructions on the rest of the page reference configuring your primary authenticator in the Duo proxy. and then move on to configuring your device as a RADIUS client of the Duo proxy.

Even when someone is not using external primary authentication, many devices support adding separate RADIUS secondary authentication while using a different primary authentication source (which may even be the local DB of the device). For example, Cisco ASA, Juniper/Pulse SSL VPN, and Citrix NetScaler all support adding Duo as secondary authentication for MFA only. In these configurations it is also not necessary to configure a separate RADIUS server in addition to the Duo proxy.

It sounds like you were not already using an external service for authentication, and additionally that the UTM does not support combining local primary with secondary external authentication. This is not the typical use case and I apologize for the instructions seeming confusing or misleading for this reason.

I’m a bit confused now as well. It sounds like you do not have Active Directory (based on your other post), but set up NPS. I’m guessing that you configured the Duo proxy as a RADIUS client of that NPS server, and then pointed the UTM to the Duo proxy? Were you using UTM local authentication before? Did you recreate the local UTM users in NPS?

We don’t recommend using Duo as your only authenticator, so just trying to figure out what is providing primary authentication in this scenario.


#5

That may very well be the case but using Duo with the Sophos UTM DOES require an additional RADIUS server so I stand by my claim that that statement should not be included in the Duo/Sophos document or a notation should be added. People attempting to implement Duo have varying levels of experience. Where can I get the “Duo for dummies” book :wink:

The rest of your previous post is dead on and the answer is “yes” to all of your questions. Once I added NPS and added a RADIUS client, I simply went into Sophos and changed the users from Local to Remote. AD is overkill for my needs so I added the same Sophos users to the Windows server’s local Users/Groups. It’s working superbly. The other thing that caused me some grief was when I created my NPS policies. It took quite a while for me to figure out that I had to move them up in the list. When I created them, they were placed below the default policies so my connections failed until I moved them up.

Thanks for following up!


#6

The Sophos UTM deployment with Duo, as documented on our site end to end, does not require a separate RADIUS server from the Duo Authentication Proxy.

Thanks for trying Duo!