Duo Security Authentication Integration Guide

Duo Security Integration Overview

This document describes the steps to integrate WatchGuard Mobile VPN with SSL client software download access and Mobile VPN with SSL client authentication with Duo Security’s® two-factor authentication solution.

The workflow for two-factor authentication through integration with Duo is shown here:

Screen shot of  Duo two-factor authentication workflow diagram

  1. The user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to Duo’s Authentication Proxy.
  3. The Authentication Proxy completes primary authentication using RADIUS.
  4. The Authentication Proxy establishes a secure connection to the Duo Security service.
  5. Secondary authentication is conducted through the Duo Security service.
  6. The Authentication Proxy receives a secondary authentication result from the Duo Security service.
  7. The Firebox grants the user access.

Test topology

This diagram shows the test topology for this integration.

Topology diagram

Platform and Software

The hardware and software used in this guide include:

  • Firebox with Fireware v12.5.5 or higher
  • Duoauthproxy-5.1.1 on Windows
  • Windows Server 2016 with Microsoft Network Policy Server (NPS) and Active Directory Domain Services
  • Duo Mobile Application 3.44.0.20 on iOS

Configuration

To complete this integration, you must have:

  • Duo account
  • Duo Authentication Proxy
  • RADIUS server
  • WatchGuard Firebox

You use the Duo account to log in to the Duo Service to manage applications, enroll users, and get integration keys. The Duo Authentication Proxy acts as a bridge. It communicates with the RADIUS server, the Duo Security service in the cloud, the WatchGuard Firebox, and the Duo mobile app. The RADIUS server is used for primary user authentication.

In our configuration, the Duo Authentication Proxy and the RADIUS server (Microsoft NPS) were located on the same subnet.

Configure Microsoft NPS Server

For instructions on how to configure Active Directory Domain Services, see the Microsoft documentation for Active Directory.

  1. On the Windows server, run Server Manager.
  2. Select Tools > Network Policy Server.
    The Network Policy Server console appears.
  3. Select RADIUS Clients and Servers > RADIUS Clients.
  4. Right-click RADIUS Clients and select New.
    The New RADIUS Client window appears.
  5. In the Friendly name text box, type a name.
  6. In the Address (IP or DNS) text box, type the IP address of the Duo Authentication Proxy. In our example, the IP address of the Duo Authentication Proxy is 192.168.4.18.
  7. In the Shared secret and Confirm shared secret text boxes, type a shared secret key. This key is used to communicate with the Duo Authentication Proxy.

    You must use the same shared secret key when you configure Duo Authentication Proxy for Primary Authentication.

  8. Screenshot of NPS, picture1

  9. Click OK.
  10. Screenshot of NPS, picture7

  11. Select Polices > Connection Request Policies. Make sure the default policy is enabled.
  12. Screenshot of NPS, picture3

  13. Right-click Network Policies and select New.
    The New Network Policy window appears.
  14. In the Policy Name text box, type a name for this policy. In our example, we type ecotest.
  15. Click Next.
  16. In the Specify Conditions section, click Add.
  17. Select User Groups. Click Add > Add Groups.
  18. In the Enter the object name to select text box, type the group name. The name of this group must match the name of the Active Directory group your users belong to.
  19. Click OK.
  20. Click OK.
  21. Screenshot of NPS, picture4

  22. Click Next.
  23. Click Next.
  24. In the Configure Authentication Methods section, select the Unencrypted authentication (PAP, SPAP) check box.
  25. Screenshot of NPS. picture5

  26. Click Next.
  27. Click No.
  28. Click Next.
  29. In the Configure Settings section, click Add. In our example we use group authentication, if you want to use user authentication, skip Steps 24—30.
  30. From the Attributes list, select Filter-Id. Click Add.
  31. Click Add.
  32. In the Attribute Information window, in the text box type a group name. The name of this group must match the name of the Active Directory group your users belong to.
  33. Screenshot of NPS. picture8

  34. Click OK.
  35. Click OK.
  36. Click Close.
  37. Screenshot of NPS. picture9

  38. Click Next.
  39. Click Finish.
  40. Screenshot of NPS, picture6

  41. Right-click NPS (Local) and select Register server in Active Directory.
  42. Click OK.
  43. Click OK.

Configure Firebox

You must configure the RADIUS authentication settings and enable Mobile VPN with SSL on your Firebox.

Configure RADIUS Authentication

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page appears.
  3. Screenshot of Firebox, picture1

  4. From the Authentication Servers list, select RADIUS.
    The RADIUS page appears.
  5. Click Add.
    The Add page appears.
  6. In the Domain Name text box, type the domain name for this RADIUS server. Users must specify this domain name on the user login page. You cannot change the domain name after you save the settings.
  7. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  8. In the IP Address text box, type the IP address of the Duo Authentication Proxy.
  9. In the Port text box, leave the default port setting of 1812.
  10. In the Shared Secret and Confirm Secret text boxes, type a shared secret key. This key is used to communicate with the Duo Authentication Proxy Server.
  11. In the Timeout text box, type 60.
  12. Leave the default value for Group Attribute.
  13. Click Save.
  14. Screenshot of Firebox, picture2

Configure Mobile VPN with SSL

  1. Select VPN > Mobile VPN.
  2. In the SSL section, click Manually Configure.
  3. Screenshot of Firebox, picture3

  4. Select the Activate Mobile VPN with SSL check box.
  5. In the General section, for Primary text box, type the public IP address (External IP address) or domain name of the Firebox. This is the IP address or domain name that Mobile VPN with SSL clients connect to by default.
  6. Select the Authentication tab.
  7. From the Authentication Server drop-down list, select the authentication server you created. Click Add.
  8. In the Authentication Server list, select your authentication server and click Move Up to move it to the top of the list to make it the default authentication server.
    Mobile VPN with SSL uses the default authentication server unless a user specifies an authentication server in the Username text box on the Mobile VPN with SSL client.
  9. In the Users and Groups section, from the Create new drop-down list, select the authentication server you created.
  10. From the adjacent drop-down list, select Group. You can add a user or a group. In our example, we add a group.
  11. Click Add.
    The Add User or Group dialog box appears.
  12. For Type, select Group.
  13. In the Name text box, type a name for the group. The name of this group must match the name of the Active Directory group your users belong to.
  14. From the Authentication Server drop-down list, select your authentication server.
  15. Click Save.
  16. Screenshot of Firebox, picture5

  17. Click Save.

Configure Duo

Setting Up an Application

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and select Applications.
  3. Select Protect an Application and find RADIUS in the application list.
  4. Select Protect to get the values of Integration key, Secret key, and API hostname.
  5. Click Save.

Sync Users to Duo from Active Directory

Organizations with an existing on-premises Microsoft Active Directory domain can import users, phones, and groups into Duo with directory synchronization.

For detailed instructions to sync users from Active Directory, see Synchronizing Users from Active Directory.

Configure the Duo Authentication Proxy for Primary Authentication

The Duo Authentication Proxy is the system that validates the user password. In most cases, you must configure the Proxy to communicate with a RADIUS server.

To configure the Proxy, add a [radius_client] section at the beginning of the file that includes the properties described in this list. All properties are required.

Properties

Description

host

The IP address of the RADIUS server

secret

A secret to be shared between the Proxy and the RADIUS server

For example:

[radius_client]
host=192.168.4.19
secret=password
pass_through_all=true

Make sure that the RADIUS server is configured to accept authentication requests from the Duo Authentication Proxy.

Configure the Duo Authentication Proxy to Work with the Firebox

To configure the Duo Authentication Proxy to work with the Firebox, create a [radius_server_auto] section in the Proxy configuration file that includes the properties described in this list. All properties are required.

Make sure to save the configuration file when you are done.

Properties

Description

ikey

The Integration key, as referenced in the Setting Up an Application section of this document.

skey

The Secret key, as referenced in the Setting up An Application section of this document.

api_host

The API hostname, as referenced in the Setting up An Application section of this document.

radius_ip_1

The IP address of the Firebox that is connected to the Proxy.

radius_secret_1

A secret that is shared between the Proxy and the Firebox.

client

Set this value to radius_client so that the Proxy uses RADIUS for primary authentication.

Make sure a [radius_client] section as described previously is configured.

An example configuration file that uses RADIUS could look like this:

[radius_client]
host=192.168.4.19
secret=password
pass_through_all=true

[radius_server_auto]
ikey=DI1P3C6JS19G2HGP1X51
skey=75zNRZqbpMtZoOALwKC2oLyrsGKxOVa0ZOHlGW5m
api_host=api-5320f474.duosecurity.com
radius_ip_1=192.168.4.10
radius_secret_1=password
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Start the Duo Authentication Proxy

On the Windows computer where the Duo Authentication Proxy is installed, open an Administrator command prompt and type this command:

net start DuoAuthProxy

Test the Integration

To test the integration of your Mobile VPN with SSL, you authenticate with a mobile token on your mobile device. You can authenticate with a passcode or a push notification.

If you select the passcode authentication, you must type the password followed by a comma and append the passcode from the Duo Mobile App.

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

  1. Open your Mobile VPN with SSL client.
  2. From the Server drop-down list, select the external IP address of the Firebox.
  3. Type your username and password.
  4. Click Connect.
  5. Approve the authentication request that is sent to your mobile device.
    You are logged in successfully.
  6. Screenshot of authentication diagram