01-25-2022 01:05 PM
Hey guys,
Our customer want to implement DUO to protect Cisco RA VPN solution. We are using local identity store (Cisco ISE and AD as a backend). Customer want to know which information exactly will be transmitted from Authentication proxy to the DUO cloud (i.e. only phone number or something else). Unfortunately I didn’t find any documentation about that.
Thanks in advance!
Solved! Go to Solution.
01-26-2022 07:12 AM
There actually is no way to store your user passwords in the Duo cloud service. Duo’s service never saves or even sees the primary login password in 2FA scenarios, and instead verifies credentials received against your on-premises identity store. (If you were to deploy Duo Single Sign-On with Active Directory authentication, then Duo’s cloud-hosted SSO service does take the password submitted at the login screen to verify against AD, but does not save or store it).
The username sent to Duo is generally going to be what the user submits for VPN login.
Example of a VPN that sends RADIUS requests to the Duo Authentication Proxy, and the Duo proxy is configured to use AD for primary auth and to send an automatic push to the user.
01-25-2022 02:32 PM
If you implement Duo using RADIUS or LDAP authentication then the /preauth
and /auth
POST requests in the Duo Auth API v1 documentation are a good reference for what information might potentially get sent to Duo during two-factor authentication via the Duo Authentication Proxy.
01-26-2022 12:38 AM
Thank you for your response!
Could you please clarify one thing for me: I believe if we are using local Identity store we don’t need to store username/password pairs in the DUO cloud (that’s why we want to use local identity store), so in this case which username will be sent from DUO Authentication Proxy to DUO cloud?
Thanks in advance!
01-26-2022 07:12 AM
There actually is no way to store your user passwords in the Duo cloud service. Duo’s service never saves or even sees the primary login password in 2FA scenarios, and instead verifies credentials received against your on-premises identity store. (If you were to deploy Duo Single Sign-On with Active Directory authentication, then Duo’s cloud-hosted SSO service does take the password submitted at the login screen to verify against AD, but does not save or store it).
The username sent to Duo is generally going to be what the user submits for VPN login.
Example of a VPN that sends RADIUS requests to the Duo Authentication Proxy, and the Duo proxy is configured to use AD for primary auth and to send an automatic push to the user.
01-26-2022 08:46 AM
Thank you very much for response!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide