Duo Security Authentication Integration Guide

Duo Security and Firebox Integration Overview

This document describes the steps to integrate WatchGuard Mobile VPN with SSL client software download access and Mobile VPN with SSL client authentication with Duo Security’s® two-factor authentication solution.

The workflow for two-factor authentication with Duo is shown here:

Diagram of Firebox and Duo two-factor authentication workflow diagram

  1. The user initiates primary authentication to the WatchGuard Firebox.
  2. The Firebox sends an authentication request to Duo’s Authentication Proxy.
  3. The Authentication Proxy completes primary authentication using RADIUS.
  4. The Authentication Proxy establishes a secure connection to the Duo Security service.
  5. Secondary authentication is performed through the Duo Security service.
  6. The Authentication Proxy receives a secondary authentication result from the Duo Security service.
  7. The Firebox grants the user access.

Test Topology

This diagram shows the test topology for this integration.

Topology diagram for Firebox and Duo integration

Platform and Software

The hardware and software used in this integration include:

  • Firebox with Fireware v12.8 or higher
  • Duo Security Authentication Proxy 5.6.1 on Windows
  • Windows Server 2016 with Microsoft Network Policy Server (NPS) and Active Directory Domain Services
  • Duo Mobile Application 4.13.0.21 on iOS

Configuration

To complete this integration, you must have:

  • Duo account
  • Duo Authentication Proxy
  • RADIUS server
  • WatchGuard Firebox

Use the Duo account to log in to the Duo Service to manage applications, enroll users, and get integration keys. The Duo Authentication Proxy acts as a bridge. It communicates with the RADIUS server, the Duo Security service in the cloud, the WatchGuard Firebox, and the Duo mobile app. The integration uses the RADIUS server for primary user authentication.

In our configuration, the Duo Authentication Proxy and the RADIUS server (Microsoft NPS) are located on the same subnet.

Configure Microsoft NPS Server

For instructions on how to configure Active Directory Domain Services, see the Microsoft documentation for Active Directory.

  1. On the Windows server, run Server Manager.
  2. Select Tools > Network Policy Server.
    The Network Policy Server console appears.
  3. Select RADIUS Clients and Servers > RADIUS Clients.
  4. Right-click RADIUS Clients and select New.
    The New RADIUS Client window appears.
  5. In the Friendly name text box, type a name.
  6. In the Address (IP or DNS) text box, type the IP address of the Duo Authentication Proxy. In our example, the IP address of the Duo Authentication Proxy is 192.168.4.18.
  7. In the Shared secret and Confirm shared secret text boxes, type a shared secret key. This key is used to communicate with the Duo Authentication Proxy.

    You must use the same shared secret key when you configure Duo Authentication Proxy for Primary Authentication.

  8. Screenshot of the NPS RADIUS client configuration

  9. Click OK.
  10. Screenshot of the NPS RADIUS client configuration

  11. Select Polices > Connection Request Policies. Make sure the default policy is enabled.
  12. Screenshot of the NPS policy configuration

  13. Right-click Network Policies and select New.
    The New Network Policy window appears.
  14. In the Policy Name text box, type a name for this policy. In our example, we type ecotest.
  15. Click Next.
  16. In the Specify Conditions section, click Add.
  17. Select User Groups. Click Add > Add Groups.
  18. In the Enter the object name to select text box, type the group name. The name of this group must match the name of the Active Directory group your users belong to.
  19. Click OK.
  20. Click OK.
  21. Screenshot of the NPS policy conditions configuration

  22. Click Next.
  23. Click Next.
  24. In the Configure Authentication Methods section, select the Unencrypted authentication (PAP, SPAP) check box.
  25. Screenshot of the NPS policy authentication methods configuration

  26. Click Next.
  27. Click No.
  28. Click Next.
  29. In the Configure Settings section, click Add. In our example, we use group authentication, if you want to use user authentication, skip Steps 24—30.
  30. From the Attributes list, select Filter-Id. Click Add.
  31. Click Add.
  32. In the Attribute Information window, type a group name in the text box. The name of this group must match the name of the Active Directory group your users belong to.
  33. Screenshot of the NPS attribute information configuration

  34. Click OK.
  35. Click OK.
  36. Click Close.
  37. Screenshot of the NPS configuration settings

  38. Click Next.
  39. Click Finish.
  40. Screenshot of the NPS policy completed configuration

  41. Right-click NPS (Local) and select Register server in Active Directory.
  42. Click OK.
  43. Click OK.

Configure Firebox

You must configure the RADIUS authentication settings and enable Mobile VPN with SSL on your Firebox.

Configure RADIUS Authentication

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Servers.
    The Authentication Servers page appears.
  3. Screenshot of the Firebox Authentication Servers page

  4. From the Authentication Servers list, select RADIUS.
    The RADIUS page appears.
  5. Click Add.
    The Add page appears.
  6. In the Domain Name text box, type the domain name for this RADIUS server. Users must specify this domain name on the user login page. You cannot change the domain name after you save the settings.
  7. In the Primary Server Settings section, select the Enable RADIUS Server check box.
  8. In the IP Address text box, type the IP address of the Duo Authentication Proxy.
  9. In the Port text box, leave the default port setting of 1812.
  10. In the Shared Secret and Confirm Secret text boxes, type a shared secret key. This key is used to communicate with the Duo Authentication Proxy Server.
  11. In the Timeout text box, type 60.
  12. Leave the default value for Group Attribute.
  13. Click Save.
  14. Screenshot of the primary RADIUS server settings on the Firebox

Configure Mobile VPN with SSL

  1. Select VPN > Mobile VPN.
  2. In the SSL section, click Manually Configure.
  3. Screenshot of the Mobile VPN with SSL page on the Firebox

  4. Select the Activate Mobile VPN with SSL check box.
  5. In the General section, for the Primary text box, type the public IP address (External IP address) or domain name of the Firebox. This is the IP address or domain name that Mobile VPN with SSL clients connect to by default.
  6. Select the Authentication tab.
  7. From the Authentication Server drop-down list, select the authentication server you created. Click Add.
  8. In the Authentication Server list, select your authentication server and click Move Up to move it to the top of the list to make it the default authentication server.
    Mobile VPN with SSL uses the default authentication server unless a user specifies an authentication server in the User name text box on the Mobile VPN with SSL client.
  9. In the Users and Groups section, from the Create new drop-down list, select the authentication server you created.
  10. From the adjacent drop-down list, select Group. You can add a user or a group. In our example, we add a group.
  11. Click Add.
    The Add User or Group dialog box appears.
  12. For Type, select Group.
  13. In the Name text box, type a name for the group. The name of this group must match the name of the Active Directory group your users belong to.
  14. From the Authentication Server drop-down list, select your authentication server.
  15. Click Save.
  16. Screenshot of Authentication Servers configuration page on the Firebox

  17. Click Save.

Configure Duo

Set Up an Application

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and select Applications.
  3. Select Protect an Application and select RADIUS in the application list.
  4. Select Protect to see the values for the Integration key, Secret key, and API hostname. Copy these values as you will use them in the Configure the Duo Authentication Proxy to Work with the Firebox section.
  5. Click Save.

Sync Users to Duo from Active Directory

Organizations with an existing on-premises Microsoft Active Directory domain can import users, phones, and groups into Duo with directory synchronization.

For detailed instructions to sync users from Active Directory into Duo, see Synchronizing Users from Active Directory.

Configure the Duo Authentication Proxy for Primary Authentication

The Duo Authentication Proxy is the system that validates the user password. In most cases, you must configure the Proxy to communicate with a RADIUS server.

To configure the Proxy, add a [radius_client] section at the beginning of the file that includes the properties described in this list. All properties are required.

Properties

Description

host

The IP address of the RADIUS server

secret

A shared secret between the Proxy and the RADIUS server

For example:

[radius_client]
host=192.168.4.19
secret=password
pass_through_all=true

Make sure that the RADIUS server is configured to accept authentication requests from the Duo Authentication Proxy.

Configure the Duo Authentication Proxy to Work with the Firebox

To configure the Duo Authentication Proxy to work with the Firebox, create a [radius_server_auto] section in the Proxy configuration file that includes the properties described in this list. All properties are required.

Make sure to save the configuration file when you are done.

Properties

Description

ikey

The Integration key, as referenced in the Setting Up an Application section of this document.

skey

The Secret key, as referenced in the Setting up An Application section of this document.

api_host

The API hostname, as referenced in the Setting up An Application section of this document.

radius_ip_1

The IP address of the Firebox that is connected to the Proxy.

radius_secret_1

A shared secret between the Proxy and the Firebox.

client

Set this value to radius_client so that the Proxy uses RADIUS for primary authentication.

Make sure a [radius_client] section as described previously is configured.

An example configuration file that uses RADIUS could look like this:

[radius_client]
host=192.168.4.19
secret=password
pass_through_all=true

[radius_server_auto]
ikey=DI54KMHOI2NRXD5CS1EE
skey=d5N6MrUumSOwkswtixafuEko9biaZGTvYHVA85ti
api_host=api-537a49ce.duosecurity.com
radius_ip_1=192.168.4.10
radius_secret_1=password
client=radius_client
port=1812
failmode=safe
pass_through_all=true

Start the Duo Authentication Proxy

On the Windows computer where the Duo Authentication Proxy is installed, open an Administrator command prompt and type this command:

net start DuoAuthProxy

Test the Integration

To test the integration of your Mobile VPN with SSL, authenticate with a mobile token on your mobile device. You can authenticate with a passcode or a push notification.

If you select the passcode authentication, you must type the password followed by a comma and append the passcode from the Duo Mobile App.

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

  1. Open your Mobile VPN with SSL client.
  2. In the Server text box, type the external IP address of the Firebox.
  3. Type your user name and password.
  4. Click Connect.
  5. Approve the authentication request that is sent to your mobile device.
    You are logged in successfully.
  6. Screenshot of the Mobile VPN with SSL connection details