Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 8 subscribers
  • Views 17539 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: Two-factor authentication with Duo Security

scaledem

Hello,

I'm having a hard time to configure the two-factor authentication with Duo Security.

Following this KB : https://community.sophos.com/kb/en-us/127334

-> Here's the configuration of the proxy file :
[ad_client]

;IP DC

host=192.168.10.2

service_account_username=administrator

service_account_password=password

search_dn=DC=labo,DC=lan

security_group_dn=CN=techgrp,OU=Technique,DC=labo,DC=lan

 

[radius_server_auto]

ikey=ikeyDuoxxx

skey=skeyDuoxxx

api_host=api-duoxxx

;IP utm sophos :

radius_ip_1=192.168.10.100

radius_secret_1=password

failmode=safe

client=ad_client

port=1812

 

Sophos UTM : 

 
 
 
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test request: radius"
2017:09:08-16:22:02 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test failed. Method: radius, error: DENIED
2017:09:08-16:22:02 utm1 aua[23485]: timed out waiting for packet"
 
Can anyone help me or share a working configuration ?


This thread was automatically locked due to age.
Parents
  • 0

    I have duo security successfully working, but your going to be limited in what you can do with it.

     

    We can only get it to work with push notification and nothing else (using windows 10 standard vpn) as well there is only like a 10 second time period before windows closes the connection request. We say to our staff they need to have the application open, so they can accept the request within the 10 seconds.

     

    We have a windows radius server installed on our domain controller, which the DUO proxy authenticates incoming connections against.

     

    UTM > Duo Proxy > Radius > Active Directory

     

    What you should first do is have the radius server setup and working with the Sophos first, when you get that working, then look at adding the duo proxy.

     

    I need to document our setup, so I will do a guide in the next few days. Let me know if you have any questions in the mean time.

  • 0 in reply to StealthyM

    Just wondering, why would you have a RADIUS server between the Duo Proxy and AD. Can Duo Proxy not talk to the domain controller directly? Any specific reason for this design decision?

Reply Children
No Data
Unfiltered HTML