topic Re: Duo Authentication Proxy Manager Configuration in Deployment Strategy

Duo Authentication Proxy Manager Configuration

jeremy81 — Wed, 09 Oct 2024 16:22:59 GMT

I have a free trial for the Cisco DUO Admin portal, and I'm trying to setup the Authentication Proxy. We have an Active Directory Server but not a RADIUS Server. My understanding is that we don't need a separate RADIUS Server, since Duo will act as a Proxy, and we can use Active Directory.

We are trying to get some sort of 2FA working with network devices that will authenticate through a RADIUS Server, such as Linux Servers and Network Switches/Routers. I haven't gotten the RADIUS authentication working yet. We have an Active Directory Server and a separate Server running the DUO Authentication Proxy software. These 2 Servers are in the same network and can ping each other, but the Authentication Proxy Server is not joined to the domain.

I have finished the configuration and when I validate the configuration, there are no problems found.

The main question I have is about the [radius_server_auto] section of the configuration file:

1. For the 'radius_ip_1' entry, what IP is needed? It's not very clear to me if this is supposed to be the IP of the Active Directory Server, Authentication Proxy Server, a completely separate RADIUS Server that we don't have, or something else.

-I have tried entering different IPs; Active Directory Server or DUO Authentication Proxy. I restart the Service whenever I make any changes. So far, I have been unable to authenticate to the RADIUS Proxy.

Any help would be greatly appreciated.

Re: Duo Authentication Proxy Manager Configuration

Ken Stieers — Wed, 09 Oct 2024 19:40:05 GMT

https://duo.com/docs/authproxy-reference#radius-auto

Radius_ip_1 is the IP or IP range of the boxes that are allowed to use the proxy as a radius server.
Radius_secret_1 is the secret that box will use.

So if your switch has a management IP of 172.16.1.5,. that's the ip you put here.

All of the various pieces are described on that page I referenced.

Re: Duo Authentication Proxy Manager Configuration

DuoKristina — Wed, 09 Oct 2024 20:07:27 GMT

Are you following the steps in https://duo.com/docs/radius?

you need an [ad_client] section pointing to your AD DC (https://duo.com/docs/radius#active-directory), and then as Ken suggests you put the info about the downstream RADIUS device in the [radius_server_auto] section (https://duo.com/docs/radius#configure-the-proxy-for-your-radius-device).

Re: Duo Authentication Proxy Manager Configuration

jeremy81 — Wed, 09 Oct 2024 22:07:36 GMT

Thank you! Entering the IPs of devices allowed to connect makes more sense.
-Is it possible to enter an IP range or allow all, or anything like that, or is it individual IPs only? What are the syntax options?

I do have the [ad_client] section configured.

Re: Duo Authentication Proxy Manager Configuration

Ken Stieers — Wed, 09 Oct 2024 22:59:05 GMT

Syntax options are in the link I sent earlier.