This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: Two-factor authentication with Duo Security

Hello,

I'm having a hard time to configure the two-factor authentication with Duo Security.

Following this KB : https://community.sophos.com/kb/en-us/127334

-> Here's the configuration of the proxy file :
[ad_client]

;IP DC

host=192.168.10.2

service_account_username=administrator

service_account_password=password

search_dn=DC=labo,DC=lan

security_group_dn=CN=techgrp,OU=Technique,DC=labo,DC=lan

 

[radius_server_auto]

ikey=ikeyDuoxxx

skey=skeyDuoxxx

api_host=api-duoxxx

;IP utm sophos :

radius_ip_1=192.168.10.100

radius_secret_1=password

failmode=safe

client=ad_client

port=1812

 

Sophos UTM : 

 
 
 
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test request: radius"
2017:09:08-16:22:02 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test failed. Method: radius, error: DENIED
2017:09:08-16:22:02 utm1 aua[23485]: timed out waiting for packet"
 
Can anyone help me or share a working configuration ?


This thread was automatically locked due to age.
  • I have duo security successfully working, but your going to be limited in what you can do with it.

     

    We can only get it to work with push notification and nothing else (using windows 10 standard vpn) as well there is only like a 10 second time period before windows closes the connection request. We say to our staff they need to have the application open, so they can accept the request within the 10 seconds.

     

    We have a windows radius server installed on our domain controller, which the DUO proxy authenticates incoming connections against.

     

    UTM > Duo Proxy > Radius > Active Directory

     

    What you should first do is have the radius server setup and working with the Sophos first, when you get that working, then look at adding the duo proxy.

     

    I need to document our setup, so I will do a guide in the next few days. Let me know if you have any questions in the mean time.

  • Just wondering, why would you have a RADIUS server between the Duo Proxy and AD. Can Duo Proxy not talk to the domain controller directly? Any specific reason for this design decision?

  • Here's a video that I made today on how to configure this - https://www.youtube.com/watch?v=lb2lgAaLelc

    The timeout value can also be increased if needed. Actually the recommendation is 120seconds.

  • Thanks for sharing your video but you are explaining how to set it up with an AD or additional RADIUS server.

    Here is a quote from duo.com/.../sophos-utm:

    “This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”

    How can I make the Duo proxy server also act as a RADIUS server to avoid installing a separate AD or RADIUS server?

    In other words, have Sophos UTM still handle authentication but also require Duo push.

     

    UPDATE: Now I realize why I can't do what I want. Sophos only has the following options for user authentication: Local, None and Remote. If I set up Duo using [duo_only_client], then Sophos and Duo authenticate the username only, no password needed.

    UPDATE 2: I added the Network Policy Service (NPS) to a Win 2012 Server for it's RADIUS server functionality and got everything up and running.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • DUO relies on radius.  UTM connects to it as a radius client.   If you  want to use active directory logins, you also need to connect the radius server to AD.

    a lot of complexity, so you will need to treat it as a learning opportuity.