I was able to get the USG and Duo working together by using the Duo Auth Proxy and having it connect to the Network Policy Server (NPS) running on my windows server. I talked with support because I couldn’t get the above working and they gave me the suggestion to use the NPS instead. Here’s what I did:
I am assuming a VPN is already in place with the USG, just moving it to work with Duo.
In the USG controller go to Profiles --> Create new RADIUS profile
Profile Name : Primary Domain Controller (PDC) name
Place both check marks under VLAN support: Enable RADIUS assigned VLAN for Wired network, Enable RADIUS assigned VLAN for Wireless network
RADIUS auth Server IP address set IP address of PDC
Generate a secure password and store it
Save the profile.
Under networks edit the VPN network and set it to use the RADIUS profile just created
On the PDC
• From Server Manager Add Roles and Features. Select Network Policy and Access Services. Select Add Features to include the management tools. Next several times and then install.
• Once the feature is installed you can select NPAS or NAP depending on server version on the left. Then right click on the local server and choose Network Policy Server.
• Expand RADIUS Clients and Servers right click on RADIUS Clients and new.
1. Set check for Enable this RADIUS Client
2. Friendly name: Duo Auth Proxy (DAP)
3. Set IP Address of the machine with DAP.
4. Set Manual Share secret and paste in the shared secret you created above.
5. Press OK
• Leave your window open and go to Active Directory. Make a new security group VPN-Users. Add users who will access the VPN.
• Switch back to the Policy Server. Expand Policies --> Network Policies.
1. Right click on Network Policies on the left, select New.
2. Set Policy name as Unifi VPN, leave Type of network access server as Unspecified. Click Next
3. Click Add to put in a condition: Select Windows Groups and click Add
4. Click Add Groups and put in the VPN-Users group we created before. Click OK, Click Next.
5. Make sure Access granted is selected and press next.
6. On the Configure Authentication Methods remove check mark for MS-CHAP. Click Next.
7. Set Idle Time out to disconnect after the maximum idle time of 30 minutes. Click Next.
8. Select the Encryption table and remove check marks so only Strongest encryption (MPPE 128-bit) is selected. Click Next.
9. Click Finish
• For the users you’ll only need to add them to the VPN-Users group. If you’re converting from a PPTP VPN you may need to edit the users and set the Dial-In tab to "Control access through the NPS Network Policy.
Still on the PDC edit the Duo Auth Proxy config and add these sections
host=local host IP
secret=generated secret from above
ikey=from Duo application
skey=from Duo application
api_host=from Duo application
radius_secret_1=generated secret from above
Restart the Duo Auth Proxy service
Test. This had it working for me. You’ve got a bit under 30 seconds to respond to the Push on your phone before the connection times out. If there is a way to control this it would be via SSH and I don’t know the specifics.