Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
4
Replies

Duo Authentication Proxy Manager Configuration

jeremy81
Level 1
Level 1

‎10-09-2024 09:22 AM

I have a free trial for the Cisco DUO Admin portal, and I'm trying to setup the Authentication Proxy.  We have an Active Directory Server but not a RADIUS Server.  My understanding is that we don't need a separate RADIUS Server, since Duo will act as a Proxy, and we can use Active Directory.

We are trying to get some sort of 2FA working with network devices that will authenticate through a RADIUS Server, such as Linux Servers and Network Switches/Routers.  I haven't gotten the RADIUS authentication working yet.  We have an Active Directory Server and a separate Server running the DUO Authentication Proxy software.  These 2 Servers are in the same network and can ping each other, but the Authentication Proxy Server is not joined to the domain.

I have finished the configuration and when I validate the configuration, there are no problems found.

The main question I have is about the [radius_server_auto] section of the configuration file:

1.  For the 'radius_ip_1' entry, what IP is needed?  It's not very clear to me if this is supposed to be the IP of the Active Directory Server, Authentication Proxy Server, a completely separate RADIUS Server that we don't have, or something else.

-I have tried entering different IPs; Active Directory Server or DUO Authentication Proxy.  I restart the Service whenever I make any changes.  So far, I have been unable to authenticate to the RADIUS Proxy.  

Any help would be greatly appreciated.

0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎10-09-2024 12:40 PM

https://duo.com/docs/authproxy-reference#radius-auto


Radius_ip_1 is the IP or IP range of the boxes that are allowed to use the proxy as a radius server.
Radius_secret_1 is the secret that box will use.

So if your switch has a management IP of 172.16.1.5,. that's the ip you put here.

All of the various pieces are described on that page I referenced.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎10-09-2024 01:07 PM

Are you following the steps in https://duo.com/docs/radius? 

you need an [ad_client] section pointing to your AD DC (https://duo.com/docs/radius#active-directory), and then as Ken suggests you put the info about the downstream RADIUS device in the [radius_server_auto] section (https://duo.com/docs/radius#configure-the-proxy-for-your-radius-device).

Duo, not DUO.
0 Helpful

jeremy81
Level 1
Level 1

‎10-09-2024 03:06 PM - edited ‎10-09-2024 03:07 PM

Thank you!  Entering the IPs of devices allowed to connect makes more sense.
-Is it possible to enter an IP range or allow all, or anything like that, or is it individual IPs only?  What are the syntax options?

I do have the [ad_client] section configured.

0 Helpful

Ken Stieers
VIP
VIP
In response to jeremy81

‎10-09-2024 03:59 PM

Syntax options are in the link I sent earlier.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents