Contents

Duo Security Authentication Integration Guide

Duo Security Integration Overview

This document describes the steps to integrate WatchGuard Mobile VPN with SSL client software download access and Mobile VPN with SSL client authentication with Duo Security’s® two-factor authentication solution.

Duo Security offers user authentication by passcode, push, phone or SMS. All of these authentication methods have been successfully verified for use with Mobile VPN with SSL client software download access and to connect to the Firebox with the Mobile VPN with SSL client.

The workflow for two-factor authentication through integration with Duo is shown here:

Screen shot of  Duo two-factor authentication workflow diagram

  1. The user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to Duo’s Authentication Proxy.
  3. The Authentication Proxy completes primary authentication using RADIUS.
  4. The Authentication Proxy establishes a secure connection to the Duo Security service.
  5. Secondary authentication is conducted through the Duo Security service.
  6. The Authentication Proxy receives a secondary authentication result from the Duo Security service.
  7. The Firebox grants the user access.

Test topology

This diagram shows the test topology for this integration.

Screen shot of  Duo Security Integration test topology diagram

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox T10 device installed with Fireware v11.11.2
  • Duoauthproxy-2.4.17 on Windows
  • Freeradius-server-2.2.3
  • Duo Mobile Application 3.12.1 on Android

Two-Factor Authentication Methods

When you use two-factor authentication, you can use any of the four secondary authentication methods supported by Duo in the Password text box when you log in to the Firebox.

In the examples below, the user name is yan, the password is password, and the Duo provided passcode is nnnnnn.

  1. <password>,<passcode>
    The user types their password and appends a passcode from the Duo Mobile App.
    Example:
    User nameyan
    Passwordpassword, nnnnnn
  1. <password>, push
    After the user name, password, and key word push are submitted to the Firebox, the user must approve the authentication request in the Duo mobile app on their phone.
    Example:
    User nameyan
    Passwordpasword, push
  1. <password>, phone
    After the user name, password, and key word phone are submitted to the Firebox, the user must press any key on their phone to approve the subsequent authentication request.
    Example:
    User nameyan
    Password

    password, phone

  1. <password>,sms
    The initial submission of user name, password, and key word sms to the Firebox (this authentication attempt is expected to fail) causes the user to receive ten passcodes on their phone through SMS. The user then conducts a new authentication request, this time specifying one of the received passcodes (as shown in option 1 above).
    Example:
    User nameyan
    Password

    password, sms

Configuration

To complete this integration, you must have:

  • Duo account
  • Duo Authentication Proxy
  • RADIUS server
  • WatchGuard Firebox

You use the Duo account to log in to the Duo Service to manage applications, enroll users, and get integration keys. The Duo Authentication Proxy acts as a bridge. It communicates with the RADIUS server, the Duo Security service in the cloud, the WatchGuard Firebox, and the Duo mobile app. The RADIUS server is used for primary user authentication.

In our configuration, the Duo Authentication Proxy and the RADIUS server were located on the same subnet.

Create a Duo Account

To create a Duo account:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and select Applications.
  3. Select Protect an Application and find RADIUS in the applications list.
  4. Select Protect this Application to get an integration key, secret key, and API hostname.
  5. Select User and enroll the user as defined on the RADIUS server into Duo. Include the user’s phone number.
  6. After enrollment, activate the user.

Configure the Duo Authentication Proxy for Primary Authentication

The Duo Authentication Proxy is the system that validates the user password. In most cases, you must configure the Proxy to communicate with a RADIUS server.

To configure the Proxy, add a [radius_client] section at the top of the file that includes the properties described below. All properties are required.

Properties

Description

host

The IP address of the RADIUS server

secret

A secret to be shared between the Proxy and the RADIUS server

For example:

radius_client
host=10.0.1.18
secret=password

Make sure that the RADIUS server is configured to accept authentication requests from the Duo Authentication Proxy.

Configure the Duo Authentication Proxy to Work with the Firebox

To configure the Duo Authentication Proxy to work with the Firebox, create a [radius_server_auto] section in the Proxy configuration file that includes the properties described below. All properties are required.

Make sure to save the configuration file when you are done.

Properties

Description

ikey

The integration key, as referenced in the Create a Duo Account section of this document.

skey

The secret key, as referenced in the Create a Duo Account section of this document.

api_host

The api host, as referenced in the Create a Duo Account section of this document.

radius_ip_1

The IP address of the Firebox that is connected to the Proxy.

radius_secret_1

A secret to be shared between the Proxy and the Firebox.

client

Set this to radius client, which means the Proxy will use RADIUS for primary authentication.

Make sure a [radius_client] section as described above is configured.

An example configuration file that uses RADIUS could look like this:

[radius_client]
host=10.0.1.18
secret=password
pass_through_all=true

[radius_server_auto]
ikey=DI5G8WL3F2SPLZIBVHED
skey=sEyhfVljR2ork5og8rwvKxiXXXXXXXXX
api_host=api-77800a8d.duosecurity.com
radius_ip_1=10.0.1.10
radius_secret_1=password
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Start the Duo Authentication Proxy

On the Windows computer where the Duo Authentication Proxy is installed, open an Administrator command prompt and type this command:

net start DuoAuthProxy

Configure RADIUS Authentication Server on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select Authentication > Servers > RADIUS.
  3. Select the Enable RADIUS Server check box.
  4. In IP Address text box, type the IP address of the Duo Authentication Proxy server.
  5. In Port text box, type 1812.
  6. In Passphrase and Confirm text boxes, type your passphrase.
  7. In the Timeout text box, type 60 seconds.
  8. Leave the default values for other settings.
  9. Click Save.

Screen shot of  Fireware Web UI Authentication, Servers, RADIUS dialog box

Configure a User Group on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select Authentication > Users and Groups.
    If you want, you can use the default SSLVPN-Users group for authentication. Or, you can add the names of users and groups to match those defined on your RADIUS server.
  3. Click Add.
  4. On the Add User or Group page, type a Name and Description.
  5. From the Authentication Server drop-down list, select RADIUS.

Screen shot of  Fireware Web UI Authentication, Users and Groups, Add, dialog box

  1. Click OK.

Screen shot of Fireware Web UI Authentication, Servers, Users and Groups dialog box

  1. Click Save.

Configure Mobile VPN with SSL on the Firebox

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. From the navigation menu, select VPN > Mobile VPN with SSL.
  3. From the General tab, select the Activate Mobile VPN with SSL check box.
  4. In the Primary text box, type the IP address or domain name to which the mobile clients will connect. In our example, we type 10.138.101.10.
    Configure networking settings and add and IP address pool if required.

Screen shot of the Fireware Web UI, VPN, Mobile VPN with SSL dialog box, General tab

  1. Select the Authentication tab.
  2. Select the RADIUS server.
  3. (Optional) We recommend that you select the Force users to authenticate after a connection is lost check box, but this is not required.
  4. Click Add.

Screen shot of the Fireware Web UI, VPN, Mobile VPN with SSL dialog box, Authenticationl tab

  1. On the Add User or Group page, for Type, select User.
  2. In the Name text box, type a user name.
  3. From the Authentication Server drop-down list, select RADIUS.
  4. Click OK.

Screen shot of the Fireware Web UI, Add User or Group dialog box

  1. Click Save.

When Mobile VPN with SSL is activated, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created and added to your configuration to allow SSL VPN connections from the Internet to the external interface. You can use this group or create new groups that match the user group names defined on your authentication server.

Download the Mobile VPN with SSL Client Software

To download the Mobile VPN with SSL client software, connect to your Firebox at https://[device_interface_IP_address]:4100/sslvpn.html. You see the authentication page.

  1. Connect to your Firebox at https://[device_interface_IP_address]:4100/sslvpn.html.
    You see the authentication page.
  2. In the Username text box, type your user name.
  3. In the Password text box, type your password and append one of the four supported values for two-factor authentication.Review the content carefully for syntax, but usually you will type the password followed by a comma and the additional information required for the method you choose.
    • <password>,<passcode>
    • <password>,push
    • <password>,phone
    • <password>,sms

Screen shot of the Firebox log in dialog box

  1. Click Login.
  2. Click Download for the Mobile VPN with SSL client software that matches your computer operating system.

Screen shot of the Firebox Download the Mobile VPN with SSL dialog box

Mobile VPN with SSL Client Authentication

After the Mobile VPN with SSL client is downloaded and configured on your computer, you can use any of the four supported two-factor authentication methods to connect to your Firebox with the Mobile VPN client software. These methods are described in the Two-Factor Authentication Methods section.

The authentication window looks like this:

Screen shot of the WatchGuard Mobile VPN with SSL dialog box

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search