DUO MFA for RADIUS VPN Connections
This post covers implementation for MFA via firewall VPN connections using RADIUS authorization.
1.) Log into your DUO admin panel and create an application for RADIUS.
2.) Install the DUO Auth Proxy client on the server you wish to use to submit the RADIUS requests from. You'll specify the Integration key, Secret key and API hostname referenced in the previous step during the installation.
3.) Open Network Policy Server, this is normally setup on your Domain Controller If it isn't go ahead and install the roles/features needed.
4.) Right-click RADIUS Clients within the GUI and select New. You'll be prompted to provide a Friendly Name and IP or internal DNS. Create your secret at this time and take note of it.
5.) Go back to the server you installed the Auth Proxy client on and open the config for it located at: C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg. Yours should have the following values specified:
[main]
debug=true
[cloud]
ikey=(DUO Account Integration Key)
skey=(DUO Account Secret Key)
api_host=api-e402f8ec.duosecurity.com
[radius_client]
host=(Server Hosting NPS)secret=(Key of RADIUS User Created in NPS)
[ad_client]
host=(Active Directory Server IP)search_dn=(dc=internal,dc=domain,dc=com) - Search Level for Users in AD
[radius_server_auto]
ikey=(Application Integration Key in DUO)
skey=(Application Secret Key in DUO)
api_host=(Your API Hostname in DUO)
radius_ip_1=(IP RADIUS Uses)
radius_secret_1=(Key Created in NPS)
client=radius_client
allow_concat=false
port=(Port to Use for Firewall to RADIUS)
failmode=safe
Restart the DUO service to commit your conf changes.
6.) Open DUO and import a list of your users via .csv file. You'll then be able to send Activation and Invite links to their email addresses or phone # if specified in AD.
7.) Once users complete the DUO mobile app install and activate their accounts you'll be able to tie in the firewall
8.) Log into your firewall and find the RADIUS section currently used to authenticate your users. If this isn't configured for VPN yet just open up the appropriate section anyway. We'll be replacing all settings here anyway.
9.) Specify the internal IP where you installed the Auth Proxy client on and port you used in the config above. Place the Shared Secret and Confirm. Save and you should be up and running. Test from outside your network to ensure your configuration worked.
10.) Celebrate! It's also worth noting you change change delivery methods via the DUO admin site. The most secure method at this time is PUSH.
If you think this post could be improved or needs to be updated please let me know.