Thank you for responding. I was able to get it working with NPS.

I still think the statement below should be reworded or a notation should be added to the documentation because it is ambiguous and unintentionally misleading.

“This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”

In the vast majority of Duo Authentication Proxy installations for devices and services using RADIUS this is a true statement; there is no need to deploy a second RADIUS server in addition to the Duo Authentication Proxy server that handles RADIUS requests. The Duo Authentication proxy acts as a client to an upstream existing LDAP or RADIUS primary authentication service, and itself acts as a RADIUS or LDAP server to devices or applications.

The majority of our VPN customers already have an external authentication service in use, and now they want to add Duo 2FA to these logins. That’s why the instructions on the rest of the page reference configuring your primary authenticator in the Duo proxy. and then move on to configuring your device as a RADIUS client of the Duo proxy.

Even when someone is not using external primary authentication, many devices support adding separate RADIUS secondary authentication while using a different primary authentication source (which may even be the local DB of the device). For example, Cisco ASA, Juniper/Pulse SSL VPN, and Citrix NetScaler all support adding Duo as secondary authentication for MFA only. In these configurations it is also not necessary to configure a separate RADIUS server in addition to the Duo proxy.

It sounds like you were not already using an external service for authentication, and additionally that the UTM does not support combining local primary with secondary external authentication. This is not the typical use case and I apologize for the instructions seeming confusing or misleading for this reason.

I’m a bit confused now as well. It sounds like you do not have Active Directory (based on your other post), but set up NPS. I’m guessing that you configured the Duo proxy as a RADIUS client of that NPS server, and then pointed the UTM to the Duo proxy? Were you using UTM local authentication before? Did you recreate the local UTM users in NPS?

We don’t recommend using Duo as your only authenticator, so just trying to figure out what is providing primary authentication in this scenario.

That may very well be the case but using Duo with the Sophos UTM DOES require an additional RADIUS server so I stand by my claim that that statement should not be included in the Duo/Sophos document or a notation should be added. People attempting to implement Duo have varying levels of experience. Where can I get the “Duo for dummies” book

The rest of your previous post is dead on and the answer is “yes” to all of your questions. Once I added NPS and added a RADIUS client, I simply went into Sophos and changed the users from Local to Remote. AD is overkill for my needs so I added the same Sophos users to the Windows server’s local Users/Groups. It’s working superbly. The other thing that caused me some grief was when I created my NPS policies. It took quite a while for me to figure out that I had to move them up in the list. When I created them, they were placed below the default policies so my connections failed until I moved them up.

Thanks for following up!

The Sophos UTM deployment with Duo, as documented on our site end to end, does not require a separate RADIUS server from the Duo Authentication Proxy.

Thanks for trying Duo!