This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: Two-factor authentication with Duo Security

Hello,

I'm having a hard time to configure the two-factor authentication with Duo Security.

Following this KB : https://community.sophos.com/kb/en-us/127334

-> Here's the configuration of the proxy file :
[ad_client]

;IP DC

host=192.168.10.2

service_account_username=administrator

service_account_password=password

search_dn=DC=labo,DC=lan

security_group_dn=CN=techgrp,OU=Technique,DC=labo,DC=lan

 

[radius_server_auto]

ikey=ikeyDuoxxx

skey=skeyDuoxxx

api_host=api-duoxxx

;IP utm sophos :

radius_ip_1=192.168.10.100

radius_secret_1=password

failmode=safe

client=ad_client

port=1812

 

Sophos UTM : 

 
 
 
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Spawned child for authentication test"
2017:09:08-16:21:57 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test request: radius"
2017:09:08-16:22:02 utm1 aua[23485]: id="3006" severity="info" sys="System" sub="auth" name="Bind test failed. Method: radius, error: DENIED
2017:09:08-16:22:02 utm1 aua[23485]: timed out waiting for packet"
 
Can anyone help me or share a working configuration ?


This thread was automatically locked due to age.
Parents
  • Here's a video that I made today on how to configure this - https://www.youtube.com/watch?v=lb2lgAaLelc

    The timeout value can also be increased if needed. Actually the recommendation is 120seconds.

  • Thanks for sharing your video but you are explaining how to set it up with an AD or additional RADIUS server.

    Here is a quote from duo.com/.../sophos-utm:

    “This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”

    How can I make the Duo proxy server also act as a RADIUS server to avoid installing a separate AD or RADIUS server?

    In other words, have Sophos UTM still handle authentication but also require Duo push.

     

    UPDATE: Now I realize why I can't do what I want. Sophos only has the following options for user authentication: Local, None and Remote. If I set up Duo using [duo_only_client], then Sophos and Duo authenticate the username only, no password needed.

    UPDATE 2: I added the Network Policy Service (NPS) to a Win 2012 Server for it's RADIUS server functionality and got everything up and running.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • Thanks for sharing your video but you are explaining how to set it up with an AD or additional RADIUS server.

    Here is a quote from duo.com/.../sophos-utm:

    “This Duo proxy server also acts as a RADIUS server — there’s no need to deploy a separate RADIUS server to use Duo.”

    How can I make the Duo proxy server also act as a RADIUS server to avoid installing a separate AD or RADIUS server?

    In other words, have Sophos UTM still handle authentication but also require Duo push.

     

    UPDATE: Now I realize why I can't do what I want. Sophos only has the following options for user authentication: Local, None and Remote. If I set up Duo using [duo_only_client], then Sophos and Duo authenticate the username only, no password needed.

    UPDATE 2: I added the Network Policy Service (NPS) to a Win 2012 Server for it's RADIUS server functionality and got everything up and running.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children