Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Duo setup with VPN remote access

My goal is to primary auth the user with LDAP then second auth with a duo push. Although the confusing part is there is RADIUS configuration required, even though I only want to use LDAP w/ Duo. Not sure I understand why but any configuration examples would be helpful!! 

Here is mine today:

 

[ad_client]
host=1.2.3.4 (AD server IP)
service_account_username=ad-admin
service_account_password=ad-admin-password
search_dn=DC=domain,DC=com
security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com"

[radius_server_auto]
ikey=ikey_from_duo_console
skey=skey_from_duo_console
api_host=api-123456789.duosecurity.com
radius_ip_1=checkpoint_gw1
radius_ip_2=checkpoint_gw2
radius_secret_1=secret1
radius_secret_2=secret2
client=ad_client
port=1812
failmode=secure

 

I am seeing the firewall logs that the radius server is not responding, but I am guess that just means it cannot properly authenticate my account. I know network-wise the gateways can reach the Duo proxy server. 

Tags (3)
0 Kudos
6 Replies
Highlighted
Admin
Admin

Have you followed the guide Duo has for this? https://duo.com/docs/checkpoint
Highlighted

I did, after a few tweaks I am up and working. Crazy enough, my fix was to remove the double quotes from the security dn. 

 

security_group_dn=CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com

Highlighted

Hi Tim,

 

did you manage to get the Duo work with Push instead of OTP?

0 Kudos
Highlighted

Yes!
0 Kudos
Highlighted

Thanks, is there a way to perform a push option without using the "Password,push" 

I find it quite annoying and I would be happy to allow a seamless and cleaner user experience to our users 

0 Kudos
Highlighted

Yes, in the [radius_server_auto] portion of your authproxy.cfg file you would just add this: 

factors = push

 

You can add many factors to it, but I prefer and only use push. 

0 Kudos