cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
0
Helpful
3
Replies

Duo Authentiction Proxy Integration

I am considering integrating Cisco Duo with PingOne's DaVinci orchestrator. I have a doubt that no one can solve for me. Can the Duo authentication proxy communicate with a gateway radius to connect it to DaVinci? Or can it communicate with davinci via https as if it were the duo cloud?

The davinci certainly has a connector that allows the duo cloud to be connected for mfa. Now my question is how can I connect the duo authentication proxy to davinci

I am attaching a figure of the use case to explain better.

DaVinci Duo.png

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

I don't entirely understand what kind of request you want to send to DaVinci, but the Duo proxy can only POST 2FA requests to and will only accept responses from Duo's cloud service.

>Or can it communicate with davinci via https as if it were the duo cloud?

No way.

Would DaVinci be brokering connection to the identity store for primary authentication? Like, this is a possible thing that could happen:

DuoKristina_0-1728505234721.png

 

 

Duo, not DUO.

I am trying via DaVinci to achieve a caching of the first authentication factor so that it does not ask duo for the second factor for a certain amount of time. DaVinci can do this via its no-code connectors.
On DaVinci's site there is this connector for Duo: https://docs.pingidentity.com/connectors/duo_connector.html
So now I was wondering if this use case could be feasible, from your picture I understand that so the Duo Authentication Proxy can communicate with the radius-gateway right?

DuoKristina
Cisco Employee
Cisco Employee

That Duo connecter for PingFederate is an implementation of our WebSDK to add browser-based Duo auth to PingFed logins when defined in a logon schema after PingFed handles primary auth. It does not use the Duo Authentication Proxy and has no relation to it.

You can deploy Duo Authentication Proxy for RADIUS one of three ways:

- the Duo proxy receives a radius access request from some app/device and performs both primary auth against an external LDAP server followed by secondary MFA (ad_client)

- the Duo proxy receives a radius access request from some app/device and performs both primary auth against an external RADIUS server followed by secondary MFA (radius_client)

- whatever the user is logging into performs primary authentication and the Duo proxy receives a radius access request from that app/device and only performs secondary MFA (duo_only_client). the authenticating app/service must support chained authentication sources/AAA

I think what you want might be possible if you use the duo_only_client config? If you are able to cache primary auth via DaVinci, then there should be no reason to request Duo auth again for the cached primary auth? 

Duo, not DUO.
Quick Links