3 ways to setup XG 18 with DUO 2FA

I've spent some time trying all the different ways to set this up and this post gives different ways to do this with advantages and disadvantages to each approach and some working configs (as of SFOS 18.0.3 MR-3). Although the article is titled “3 ways…” I have since added an additional configuration, so it is now 4 ways!

This isn’t meant to be an exhaustive guide to setting up DUO 2FA with XG. There are some useful guides listed in the next paragraph but I found the lack of examples made configuration much more difficult than it needed to be. Hopefully this will fill in the gaps in the existing documentation with real working examples.

Further information about DUO setup that I found useful is: https://duo.com/docs/authproxy-reference which details all the configuration options. There is also a Sophos UTM setup guide here: https://duo.com/docs/sophos-utm but it uses an LDAP client (rather than LDAPS) so is not very secure. Also, one of my alternative configurations may better suit your environment and requirements.

If you are using XG in an Active Directory environment, before you choose a method, it is worth understanding a little about usernames and Groups in XG. Commonly, you will have defined an AD Server in Authentication Servers and use that as your Firewall authentication method. Combined with Heartbeat and STAS, this will automatically identify your network users and create user accounts within XG. The user accounts are created in UPN (userPrincipalName) format, e.g. joe.bloggs@mydomain.com. You can combine this with Groups, to automatically assign the users to a Group and define permissions for that Group. Unfortunately, nearly all the other authentication methods, despite authenticating against AD, create a new user in SAN (sAMAccountName) format, e.g. joe.bloggs. Consequently, you end up with two user accounts for the same person, joe.bloggs@mydomain.cmo and joe.bloggs. Furthermore, these SAN format users are automatically created in the default group, which can’t be changed, so there is no group support. Therefore, each user has to be configured individually after they have first logged in. I believe that Sophos will address this limitation at some stage but that is the current situation. Only one of the methods I have detailed currently works with existing UPN users and allows full Groups support (although changes have been promised for V18.0 MR4).

DUO Proxy has a dual personality in that it supports both LDAP and RADIUS clients and LDAP and RADIUS servers. So, as well as ‘pure’ configs (LDAP server and client, or RADIUS server and client) you can mix and match. So, for instance, you can have a configuration where you connect to it via RADIUS but it authenticates against a backend LDAP server (and vice versa). The different configurations posted here use different combinations of LDAP and RADIUS in DUO Proxy.

If you are using a DUO Proxy configuration that utilises LDAP, you will need to do some certificate setup. If you are using DUO Proxy as an LDAP client, you will have to import your domain certificate authority certificate. It is commented in the config files below and details how to do it are in the first link at the start of this post. If you are using DUO Proxy as an LDAP server, you will need to generate a self-signed certificate. It is commented in the config files below and one way how to do it is given here: https://help.duo.com/s/article/2209?language=en_US

A word about LDAP and LDAPS. For proper security, all these configs are configured using LDAPS rather than LDAP (although I refer to it as LDAP throughout this post). If you haven’t already configured your AD for LDAPS then you will have to do this first. N.B. As part of their monthly updates, Microsoft will be rolling out an update that blocks LDAP by default (March 2021), so it is something worth doing anyway. There are plenty of internet articles explaining how to enable LDAPS on AD.

N.B. If you have any issues with your configs and DUO Proxy won’t start, check the DUO Proxy connectivity_tool.log for the reason.

A summary of the different methods of authentication with DUO Proxy:

XG AD Server, DUO LDAP client and server – only method that currently supports UPN users and Groups.

XG RADIUS Server, DUO RADIUS server and LDAP client – marginally the easiest to set up. Currently, this doesn’t support UPN users and Groups but this is planned for V18.0 MR4. If this change happens then this will probably be the best setup for most users.

XG LDAP Server, DUO LDAP client and server – can support UPN users but not Groups.

XG RADIUS Server, DUO RADIUS server and RADIUS client – probably only of interest if you have an existing RADIUS server you want to utilise for authentication.

XG AD Server, DUO LDAP client and server

This is the only method that currently matches existing UPN accounts and has Groups support. However, there is one issue that you need to be aware of. AD authentication in XG has a timeout of 5 seconds. In effect that means you have to respond to the DUO prompt immediately or suffer a login failure. This limits its usefulness; personally, I prefer this authentication method for its benefits but we use it for a small number of tech savvy people who can work with a 5 second limit. If you are interested in using this method, can I ask you vote for an adjustable timeout so that we can have longer than 5 seconds to log in? You can do it here: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/42133204-adjustable-timeout-for-active-directory-authentica

The only other issue with this method of authentication is that you have to run the DUO Proxy on a server other than your AD server as XG won’t allow you to setup two AD authentication servers with the same IP (I’m assuming that you already have a non-DUO AD authentication server for things like Firewall Authentication).

This setup allows users to log in with SAN or UPN format username and will match to (or create) a UPN format user.

In this configuration, the DUO Proxy runs on server2.mydomain.local, 192.168.1.2 the AD runs on server1.mydomain.local, 192.168.1.1

My DUO configuration file (I have removed settings that are for my specific requirements and irrelevant to this posting):

[main]
log_auth_events=true
; Default is false. Personally, I like to have a log.

[ad_client]
host=server1.mydomain.local
; service_account_username=
; service_account_password=
; username and password above are not needed as we are using sspi authentication
; see DUO documentation for details. You may wish to change this.
search_dn=DC=mydomain,DC=local
; security_group_dn=CN=DUO Users,OU=Security Groups,DC=mydomain,DC=local
; I have commented out the above line but have it enabled in my setup
; It limits authentication to members of the specified group
transport=ldaps
; Microsoft are (rightly) pushing people hard to move to LDAPS rather than LDAP
ssl_ca_certs_file=MyDomainCA.pem
; This is a pem formatted copy of your domain certificate authority certificate.
; If it is not saved in the ‘conf’ folder you will have to specify full path.
; See DUO documentation for more info about this.
auth_type=sspi
; See DUO documentation for details of different authentication types, you don’t
; have to use sspi

[ldap_server_auto]
ikey=AKKLBAD89AKG3DJG82
skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
api_host=api-101d7231.duosecurity.com
; The above details are fake and should be replaced by your own DUO details.
client=ad_client
failmode=secure
; failmode above set to your own requirements, see documentation.
api_timeout=30
ssl_port=636
ssl_key_path=mydomain.key
ssl_cert_path=mydomain.pem
; The above two entries assume you save the required certificate and private key
; in the DUO ‘conf’ folder. See documentation for creating certificate and key.
; If you don’t use the conf folder then the format is as below. N.B. There are no
; quotation marks even if the folders have spaces!
; ssl_key_path= C:\My Folder\Duo Security Authentication Proxy\mydomain.key
; ssl_cert_path=C:\My Folder\Duo Security Authentication Proxy\mydomain.pem
exempt_primary_bind=false
; The above is the correct setting for how XG works. Details in DUO documentation.

My XG Authentication Server configuration:

 

N.B. You don’t need an administrator account for the ADS user account. We setup a dedicated user account (ldapuser) for this purpose with a non-expiring password.

XG RADIUS Server, DUO RADIUS server and LDAP client

This configuration allows users to log in with SAN or UPN but currently will match or create an account in SAN format so will potentially create duplicate users and there will be no Group support (see start of article for more details). However, UPN and Group support is planned for V18.0 MR4. If this change happens then this will probably be the best setup for most users.

In this configuration, the DUO Proxy, and AD run on the same server, server1.mydomain.local, 192.168.1.1

My DUO configuration file (I have removed settings that are for my specific requirements and irrelevant to this posting):

[main]
log_auth_events=true
; Default is false. Personally, I like to have a log.

[ad_client]
host=server1.mydomain.local
; service_account_username=
; service_account_password=
; username and password above are not needed as we are using sspi authentication
; see DUO documentation for details. You may wish to change this.
search_dn=DC=mydomain,DC=local
; security_group_dn=CN=DUO Users,OU=Security Groups,DC=mydomain,DC=local
; I have commented out the above line but have it enabled in my setup
; It limits authentication to members of the specified group
transport=ldaps
; Microsoft are (rightly) pushing people hard to move to LDAPS rather than LDAP
ssl_ca_certs_file=MyDomainCA.pem
; This is a pem formatted copy of your domain certificate authority certificate.
; If it is not saved in the ‘conf’ folder you will have to specify full path.
; See DUO documentation for more info about this.
auth_type=sspi
; See DUO documentation for details of different authentication types, you don’t
; have to use sspi

[radius_server_auto]
ikey=AKKLBAD89AKG3DJG82
skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
api_host=api-101d7231.duosecurity.com
; The above details are fake and should be replaced by your own DUO details.
radius_ip_1=0.0.0.0/0
radius_secret_1=mynpssecret
failmode=secure
; failmode above set to your own requirements, see DUO documentation.
client=ad_client
port=1812
client_ip_attr=NAS-IP-Address

My XG Authentication Server configurations:

RADIUS Server

Unfortunately, editing this article won't allow me to add any images, so instead, the settings are:

Server type - RADIUS server
Server name - My RADIUS server (or whatever you want to call it)
Server IP - 192.168.1.1 (the IP of your AD server)
Authentication Port - 1812 (matches the config above and is the standard port for RADIUS)
Time-out - 30 (number of seconds to complete 2FA)
Enable accounting - not ticked
Shared secret - whatever it is set to in your config, in my example above it is mynpssecret
Enable additional settings - off

XG LDAP Server, DUO LDAP client and server, - and - XG RADIUS Server, DUO RADIUS server and RADIUS client.

The example configuration file allows both the above configurations in one DUO proxy configuration file. You can connect to it via LDAPS and it will authenticate against a backend AD server (via LDAPS). You can also connect to it via RADIUS and it will authenticate against a backend RADIUS server (in our case Microsoft’s NPS server). If you just want the LDAP solution, you can remove the [radius_client] and [radius_server_auto] sections from the config. If you just want the RADIUS solution, you can remove the [ad_client] and [ldap_server_auto] sections from the config.

The RADIUS configuration allows users to log in with SAN or UPN but will match or create an account in SAN format so will potentially create duplicate users and there will be no Group support (see start of article for more details). I have not included any details of setting up a RADIUS server as that is outside the scope of this post.

The LDAP configuration allows users to log in with SAN OR UPN. Which, depends on the setting of ‘Authentication attribute’ when you setup the server in XG. If you have a setting of ‘sAMAccountName’ then you can use SAN format username login, if you have a setting of ‘userPrincipalName’ then you can use UPN format username login.

If using ‘sAMAccountName’, this method will also match or create an account in SAN format. If using ‘userPrincipalName’, this method will match or create an account in UPN format BUT if there is an existing account it will overwrite any Group setting and change it to the default Group.

For these setups, I run DUO proxy on the same server as AD and our NPS (RADIUS) server. For that reason, you will see I am using non-standard ports, so it doesn’t clash with the existing services. If you are running DUO Proxy on a different server you can use the standard ports – just make sure the settings in the config match the settings on the XG.

In this configuration, the DUO Proxy, RADIUS server and AD all run on the same server, server1.mydomain.local, 192.168.1.1

My DUO configuration file (I have removed settings that are for my specific requirements and irrelevant to this posting):

[main]
log_auth_events=true
; Default is false. Personally, I like to have a log.

[ad_client]
host=server1.mydomain.local
; service_account_username=
; service_account_password=
; username and password above are not needed as we are using sspi authentication
; see DUO documentation for details. You may wish to change this.
search_dn=DC=mydomain,DC=local
; security_group_dn=CN=DUO Users,OU=Security Groups,DC=mydomain,DC=local
; I have commented out the above line but have it enabled in my setup
; It limits authentication to members of the specified group
transport=ldaps
; Microsoft are (rightly) pushing people hard to move to LDAPS rather than LDAP
ssl_ca_certs_file=MyDomainCA.pem
; This is a pem formatted copy of your domain certificate authority certificate.
; If it is not saved in the ‘conf’ folder you will have to specify full path.
; See DUO documentation for more info about this.
auth_type=sspi
; See DUO documentation for details of different authentication types, you don’t
; have to use sspi

[radius_client]
host=192.168.1.1
secret=mytopsecretpass
pass_through_all=true
pass_through_attr_names=Filter-Id

[ldap_server_auto]
ikey=AKKLBAD89AKG3DJG82
skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
api_host=api-101d7231.duosecurity.com
; The above details are fake and should be replaced by your own DUO details.
client=ad_client
failmode=secure
; failmode above set to your own requirements, see DUO documentation.
port=340
; custom port so it doesn’t clash with AD LDAP (see comments above)
api_timeout=30
ssl_port=637
; custom port so it doesn’t clash with AD LDAPS (see comments above)
ssl_key_path=mydomain.key
ssl_cert_path=mydomain.pem
; The above two entries assume you save the required certificate and private key
; in the DUO ‘conf’ folder. See documentation for creating certificate and key.
; If you don’t use the conf folder then the format is as below. N.B. There are no
; quotation marks even if the folders have spaces!
; ssl_key_path= C:\My Folder\Duo Security Authentication Proxy\mydomain.key
; ssl_cert_path=C:\My Folder\Duo Security Authentication Proxy\mydomain.pem
exempt_primary_bind=false
; The above is the correct setting for how XG works. Details in DUO documentation.

[radius_server_auto]
ikey=AKKLBAD89AKG3DJG82
skey=KrLcC48eXYAcRGgy8Ew6S4Yom7muo8N4sRwD
api_host=api-101d7231.duosecurity.com
; The above details are fake and should be replaced by your own DUO details.
radius_ip_1=0.0.0.0/0
radius_secret_1=mynpssecret
failmode=secure
; failmode above set to your own requirements, see DUO documentation.
client=radius_client
port=1814
; custom port so it doesn’t clash with RADIUS (NPS) server (see comments above)
pass_through_all=true
client_ip_attr=NAS-IP-Address

My XG Authentication Server configurations:

RADIUS Server

N.B. Non-standard Authentication port to match configuration file.

 

LDAP Server

N.B. Authentication attribute – This can be set to sAMAccountName or userPrincipalName. Accounts are created/matched to user accounts in the same name format (SAN or UPN).

N.B. You don’t need an administrator account for the ADS user account. We setup a dedicated user account (ldapuser) for this purpose with a non-expiring password.

N.B. Non-standard Port to match configuration file.



Added fourth method for using DUO Proxy with XG. Likely to become the best method if planned changes in V18.0 MR4 take place. Rewrote most of the opening section to better explain how DUO Proxy and XG work together.
[edited by: JasP at 11:07 AM (GMT -8) on 6 Dec 2020]
  • Hello JasP,

    Thank you for submitting this awesome post! I've moved to the XG Firewall Recommended Read section for increased visibility to our Community.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Awesome post, i wanted the AD Duo setup because of the naming and groups but ran in to the famous timeout for Duo push, in radius you can set the timeout but you have to react within 5 sec for AD. is there a way to set an timeout on AD as well? Maybe through (advanced) command line?

    Bart van der Horst


    Sophos XG v18 Certified Architect
    https://www.bpaz.nl

  • I also discovered this limitation after making the original post. From other posts, it appears it is not possible to change this. The original post has been edited to explain this limitation and also detail changes planed for RADIUS authentication, which, if implemented, should allow a method of authentication that won't have any of the current limitations.

  • Tested 18.0.4 today on my test rig. Domain set to local domain in radius setup. Works for known AD users, New vpn users are met with no vpn policy in the client. After logging in to the userportal (with AD Auth) the firewall sees the user correctly with Radius login.

    One thing user Known and New are placed in the default group after radius login. So one step forward more to take.

    Bart van der Horst


    Sophos XG v18 Certified Architect
    https://www.bpaz.nl

  • This is happening to me, any insight on getting users in to their correct groups, or did you just add the default group to be allowed to use VPN?  I have worked around this by adding individual users into the access list but that is not a sustainable solution in our size environment.

  • VPN (IPsec) Does not create user today. This is a known limitation. 

    The IPsec Module can only check for the current user base. This should be fixed with a upcoming MR release (ETA currently not known).

    __________________________________________________________________________________________________________________

  • Hello JasP,

    Followed your guide for the LDAP configuration for Cisco DUO. Upon testing, when user is logging in on the User Portal and SSLVPN, DUO does not prompt a MFA on the device. It just passes thru on the authentication part. Tried also adding ,push/,sms/,phone in the password, but still no prompt on the device. Did you encounter this issue? I've replicated it on my lab and having the same result.

  • If I've understand you correctly, you are saying that it passes authentication without the 2FA prompt.

    What is your Duo 'New User policy' in the RADIUS application settings in your Duo account? The default is 'Deny access' but do you have it set to "Allow access without 2FA'? Have you checked the Duo logs in your account to see what username is trying to authenticate and checking it matches the usernames/aliases you have setup in the Duo account?

    If this doesn't guide you to a solution, can you let me know the answers to the above and post your Duo Proxy config, suitably redacted?

  • Hi Jasp,

    Got it working now. I just found out that you need to exempt the service account that you will be using in Sophos XG (exempt_ou_1). Then add this one "exempt_primary_bind=false". After that, everything works now.

  • This shouldn't be necessary. It isn't completely clear which method you have setup when you say "Followed your guide for the LDAP configuration" as LDAP can be part of several of the configs but I'm assuming you are referring to " XG LDAP Server, DUO LDAP client and server " as that is the only fully LDAP config.

    I assume from what you are posting that "exempt_ou_1" is the account you are using for the "Bind DN" in your XG server setup. This should be an account set up in your LDAP source (whether that is Active Directory or another LDAP server). This account doesn't need any special privileges on the LDAP server, it just has to be valid.

    With the config as I posted, this is what happens:

    1. XG first passes "exempt_ou_1" details (The Bind DN account you are using) to DUO Proxy which connects to LDAP with those credentials. This primary login/bind is exempted from 2FA so doesn't get passed to your DUO account for 2FA. This account is only to connect to LDAP and doesn't exist as a DUO user. That is why the default is "exempt_primary_bind=true"
    2. XG then passes the login details from the SSL login to DUO Proxy. DUO Proxy authenticates these details against LDAP and then passes then to your DUO account for 2FA.

    As you can see from this description, it shouldn't be necessary to make the changes you have made but without details of your DUO Proxy config and your Sophos XG server setup, I can't advise further.