06-27-2024 02:11 AM
Scenario
We want to add 2FA auth to our VPN connection.
We currently have a Meraki MX100 firewall handling the VPN connection, which talks to Windows NPS Radius server, that integrates with an Active Directory.
Status so far
I tried setting up your authentication proxy, and everything seems to be working fine with AD-auth and Duo 2FA push.
Remembering users to avoid MFA fatique
I am however concerned with auth fatigue. Our aim is only to prevent password spraying and other simple attacks, so having users approve 2FA requests every time they connect to VPN is overkill. Once when using a new device (or e.g. every 30 days per device) is enough.
From what I've read, its not possible to remember devices through Radius/Duo, and the Trusted Devices concept also doesn't apply in our scenario(?)
Can anyone confirm that it is not possible to limit the amount of 2FA pushes?
I'm looking at whats technically possible using Duo/Radius (I assume limitations in the Radius protocol might be the reason it is not possible).
07-03-2024 04:03 AM
Instead of the authentication proxy AD-auth, I suggest to configure Duo single sign-on on the Meraki secure client. Remember devices option works with the web based applications and using duo single sign-on we can achieve this.
Here is the document to do so: https://duo.com/docs/sso-meraki-secure-client
https://duo.com/docs/sso-meraki-secure-client#enable-remembered-devices
If you find this useful, please mark it helpful and accept the solution.
07-04-2024 06:06 AM
I was specifically looking for on-premise Radius integration.
But thanks for the pointer - who knows what the future will bring
07-19-2024 06:39 AM
It's true, there is no way to remember the device with RADIUS nor is this planned today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide