This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duo on XG

Can somebody point me to some documentation on how to set up Duo on the XG with Radius?  I can only find info on UTM on both the Sophos sites and the Duo site...



This thread was automatically locked due to age.

Top Replies

Parents
  • https://community.sophos.com/xg-firewall/f/recommended-reads/124501/3-ways-to-setup-xg-18-with-duo-2fa

    I posted it yesterday, one of the methods is with RADIUS

    There are other links there too.

  • This is an awesome write-up. 

    I understand getting the AD CA cert and adding it to the config... but what is the SSL_KEY_PATH and SSL_CERT_PATH options for if I have added the SSL_CA_CERTS_FILE

    I guess what I am asking is to define these variables I am searching Duo's site for their documentation and am coming up empty.

  • There are two LDAP connections taking place:

    1. XG to DUO Proxy - You have to create a self-signed certificate for this with a separate private key file. That's mydomain.key and mydomain.pem in my example. Instructions to create this are here: https://help.duo.com/s/article/2209?language=en_US

    2. DUO Proxy to Active Directory - This requires the CA cert.

  • Thanks, am I to understand that you can not set this up with Radius+AD but you have to use Radius+LDAP?  Can you share screen shots of the services tab?  I am using SSLVPN so in that section I am just selecting the Radius server... is that correct?  Everything else is using the AD servers I have defined.

  • DUO clients are only RADIUS or LDAP (which connects to your AD). If I understand you correctly, you want to setup a RADIUS server in XG and have it authenticate against your AD. In that case you setup DUO with a RADIUS server and an LDAP client.

    LDAP is the mechanism of authenticating (as opposed to NTLM or Kerberos) - you are still authenticating against AD.

    The code for RADIUS+LDAP is below. Remember, there is no Groups support (everyone gets put in the default group) so VPN permissions have to be set for each user created. I have also changed the port back to 1812 (the standard) as there shouldn't be a clash with an existing RADIUS server - make sure your XG RADIUS setup uses the same port.

    In the services tab you just set the SSL VPN authentication methods to the Server name you have defined for RADIUS.

    [main]
    log_auth_events=true
    ; Default is false. Personally, I like to have a log.
    
    [ad_client]
    host=server1.mydomain.local
    ; service_account_username=
    ; service_account_password=
    ; username and password above are not needed as we are using sspi authentication
    ; see DUO documentation for details. You may wish to change this.
    search_dn=DC=mydomain,DC=local
    ; security_group_dn=CN=DUO Users,OU=Security Groups,DC=mydomain,DC=local
    ; I have commented out the above line but have it enabled in my setup
    ; It limits authentication to members of the specified group
    transport=ldaps
    ; Microsoft are (rightly) pushing people hard to move to LDAPS rather than LDAP
    ssl_ca_certs_file=MyDomainCA.pem
    ; This is a pem formatted copy of your domain certificate authority certificate.
    ; If it is not saved in the ‘conf’ folder you will have to specify full path.
    ; See DUO documentation for more info about this.
    auth_type=sspi
    ; See DUO documentation for details of different authentication types, you don’t
    ; have to use sspi
    
    [radius_server_auto]
    ikey=AKKLBAD89AKG3DJG82
    skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
    api_host=api-101d7231.duosecurity.com
    ; The above details are fake and should be replaced by your own DUO details.
    radius_ip_1=0.0.0.0/0
    radius_secret_1=mynpssecret
    failmode=secure
    ; failmode above set to your own requirements, see DUO documentation.
    client=ad_client
    port=1812
    client_ip_attr=NAS-IP-Address

Reply
  • DUO clients are only RADIUS or LDAP (which connects to your AD). If I understand you correctly, you want to setup a RADIUS server in XG and have it authenticate against your AD. In that case you setup DUO with a RADIUS server and an LDAP client.

    LDAP is the mechanism of authenticating (as opposed to NTLM or Kerberos) - you are still authenticating against AD.

    The code for RADIUS+LDAP is below. Remember, there is no Groups support (everyone gets put in the default group) so VPN permissions have to be set for each user created. I have also changed the port back to 1812 (the standard) as there shouldn't be a clash with an existing RADIUS server - make sure your XG RADIUS setup uses the same port.

    In the services tab you just set the SSL VPN authentication methods to the Server name you have defined for RADIUS.

    [main]
    log_auth_events=true
    ; Default is false. Personally, I like to have a log.
    
    [ad_client]
    host=server1.mydomain.local
    ; service_account_username=
    ; service_account_password=
    ; username and password above are not needed as we are using sspi authentication
    ; see DUO documentation for details. You may wish to change this.
    search_dn=DC=mydomain,DC=local
    ; security_group_dn=CN=DUO Users,OU=Security Groups,DC=mydomain,DC=local
    ; I have commented out the above line but have it enabled in my setup
    ; It limits authentication to members of the specified group
    transport=ldaps
    ; Microsoft are (rightly) pushing people hard to move to LDAPS rather than LDAP
    ssl_ca_certs_file=MyDomainCA.pem
    ; This is a pem formatted copy of your domain certificate authority certificate.
    ; If it is not saved in the ‘conf’ folder you will have to specify full path.
    ; See DUO documentation for more info about this.
    auth_type=sspi
    ; See DUO documentation for details of different authentication types, you don’t
    ; have to use sspi
    
    [radius_server_auto]
    ikey=AKKLBAD89AKG3DJG82
    skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
    api_host=api-101d7231.duosecurity.com
    ; The above details are fake and should be replaced by your own DUO details.
    radius_ip_1=0.0.0.0/0
    radius_secret_1=mynpssecret
    failmode=secure
    ; failmode above set to your own requirements, see DUO documentation.
    client=ad_client
    port=1812
    client_ip_attr=NAS-IP-Address

Children
No Data