When integrating with the full client it is actually much simpler.  Simply define the auth method as Radius under VPN Clients > Authentication.

Duo handles the AD auth and the 2FA prompt assuming you are using their proxy.

You do not need to use any of the Mobile Access specific instructions mentioned.

Pro tip, do not use spaces in the RADIUS object name.  🙂

Hope this helps!

I am having a bear of a time setting this up, any tips would help. I just can't get the duo push to happen. 

My goal is to primary auth the user with LDAP then second auth with a duo push. Although the confusing part is there is RADIUS configuration required, even though I only want to use LDAP. Not sure I understand why but any configuration examples would be helpful!! 

Here is mine today:

[ad_client]
host=1.2.3.4 (AD server IP)
service_account_username=ad-admin
service_account_password=ad-admin-password
search_dn=DC=domain,DC=com
security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com"

[radius_server_auto]
ikey=ikey_from_duo_console
skey=skey_from_duo_console
api_host=api-123456789.duosecurity.com
radius_ip_1=checkpoint_gw1
radius_ip_2=checkpoint_gw2
radius_secret_1=secret1
radius_secret_2=secret2
client=ad_client
port=1812
failmode=secure

Hi @Tim_McColgan

Please share screenshots of your Radius server object and VPN Clients > Authentication settings...I tried to send my setup but they didn't come through.  See my attachments...

Also make sure you have usernames in Duo that match your AD users.

@Jeff_Engel Attached are my screenshots. I actually had a little different configuration in the VPN - authentication settings. But I corrected to match yours. 

Also confirmed user names in checkpoint match the user name in AD. 

Thanks Tim.  The only thing that I have set differently in my authproxy.cfg is my failmode is set to 'safe'.  I would also run tcpdump on the active gateway(if in a cluster) and make sure you see the RADIUS request being made and being responded to by the Duo Proxy server.

@Jeff_Engel thank you. 

I ended up started from scratch and was getting ldap lookup errors in the duo proxy log. 

I made the assumption that since my AD lookup was using a group name with spaces, i.e. Duo Checkpoint Users, that I put the group in quotes in the authproxy config file such as:

security_group_dn=CN="Duo Checkpoint Users,OU=Groups,DC=example,DC=com"

On a whim, I removed the double quotes and it worked!!

security_group_dn=CN=Duo Checkpoint Users,OU=Groups,DC=example,DC=com

@Tim_McColgan Great to hear!

Hello,

can i use access role? it is necessary to create the user inside check point management? i'm confused about this

i get error RADIUS servers not responding, but from the connectivity tool check everything is ok

Where are you seeing the 'servers not responding' message?

Easy thing to check is to ensure the security gateways are not being blocked from communicating with the duo proxy server.  TCPDUMP is the best way from the gateways.

hello jef,

just fixed, the server was blocking the fw requests despite ping working and empty iptables rule list. 

Disabling iptables fixed the issue.

thank you

Great, thanks for the update!

Hi,

I had the same problem, where I wasn't getting the needed push. Are you using a NPS server and if so is it located on your Duo proxy? If yes disable the NPS. I also discovered with help from Duo support that the section in your config file wasnt needed only the domain name was

try removing and save the config file restart duo services and see if you then get the needed push

security_group_dn="CN=Duo Checkpoint VPN,OU=Groups,DC=domain,DC=com" 

Also, to help confirm that you don't have any misconfigs or errors, make sure to run and check the connectivity tool and check logs. This tool will be ran from the command window as an administrator, if all green your radius server is in good shape. If you get any error make note and correct and re-run the test. 

for Windows:

"C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_connectivity_tool.exe"

Linux:

sudo /opt/duoauthproxy/bin/authproxy_connectivity_tool

Last thing is to make sure the service account that you are using as the needed rights (read, write, list) 

Hope this helps. 

Do you know if DUO works with the checkpoint small business appliances? Have an open case right now for the checkpoint 790 appliance and we are unable to get this working. Support is saying only freeradius is known to work with the appliance?(checkpoint support) Even the latest 1500+ devices seem to have the same issue. Seems odd a supported appliance would only work with freeradius?

@CP_Coldspring 

Hello, I will be honest we have not come across changing passwords over VPN - my guess is we will run into this eventually. However at this time I only have about a dozen users utilizing DUO for Checkpoint VPN as we are continuing to test. 

As of today users just change their passwords when they login to their machine when they are in the office and on the LAN (yes we are back in the office). I am assuming you are fully remote at this time. However, we are not. 

We are also back in the office for the most part. However we have sales staff based from their homes across the US which is where it came up from. We currently only have a small test group (mainly IT) enrolled in Duo. However since it is now used as the RADIUS server to authenticate all VPN users they are unable to change a password when connected to the VPN so we have had to instruct them to reconnect to the Cisco VPN client to change their passwords.

As of now the only way I found for password change and Duo Mobile to work is through Radius only

You need to allow Duo to authenticate the user in the AD via Radius and not LDAP

Once done; after password expiration the user will be prompt to change password on the VPN login screen.

After the password change they will receive a duo notification; if the new password meets the requirements they will reach the VPN screen if not they will go back to home screen to start over

As for now; The only way I found getting Change Password to work with Duo Mobile is to allow Duo to authenticate the user via Radius to the AD instead of LDAP or LDAPS

What needs to be done is to configure [radius_server_auto]; and add the line "client=radius_client"; and then configure [radius_client]

Once done, when a user connects to the VPN with an expired password; the user will be prompt to change the password.
After changing the password the user will receive a Duo notification that he will need to approve. Only then if the password meets the requirements the user will continue to the regular VPN screen otherwise he will go back to the login screen and attempt to change the password again

@Sal-E , what are you using as a RADIUS server in this scenario, MS NPS?

Yes. with MS-CHAP V2