Re: 2FA for VPN with Radius - remembering users to avoid MFA fatique

RohdeVonDaniosaur · ‎06-27-2024

Scenario
We want to add 2FA auth to our VPN connection.
We currently have a Meraki MX100 firewall handling the VPN connection, which talks to Windows NPS Radius server, that integrates with an Active Directory.

Status so far
I tried setting up your authentication proxy, and everything seems to be working fine with AD-auth and Duo 2FA push.

Remembering users to avoid MFA fatique
I am however concerned with auth fatigue. Our aim is only to prevent password spraying and other simple attacks, so having users approve 2FA requests every time they connect to VPN is overkill. Once when using a new device (or e.g. every 30 days per device) is enough.

From what I've read, its not possible to remember devices through Radius/Duo, and the Trusted Devices concept also doesn't apply in our scenario(?)
Can anyone confirm that it is not possible to limit the amount of 2FA pushes?

I'm looking at whats technically possible using Duo/Radius (I assume limitations in the Radius protocol might be the reason it is not possible).

Pulkit Mittal · ‎07-03-2024

Instead of the authentication proxy AD-auth, I suggest to configure Duo single sign-on on the Meraki secure client. Remember devices option works with the web based applications and using duo single sign-on we can achieve this.

Here is the document to do so: https://duo.com/docs/sso-meraki-secure-client

https://duo.com/docs/sso-meraki-secure-client#enable-remembered-devices

If you find this useful, please mark it helpful and accept the solution.

RohdeVonDaniosaur · ‎07-04-2024

I was specifically looking for on-premise Radius integration.
But thanks for the pointer - who knows what the future will bring