08-13-2024 08:20 AM
Would it be possible to configure a Multi-Factor Authentication (MFA with DUO) with Always ON VPN (Any Connect) using a certificate encrypted via TPM? Also this authentication should happen in the background without having duo sending tokens to the devices for further authenticating by giving the token codes
08-13-2024 01:59 PM
Disclaimer: I don't know a lot about Meraki Firewall authentication; I'm a Duo person.
When someone connects the VPN with a certificate in your config today, is that the only authentication required, or do your users have to enter some credential info as well? If your Meraki firewall does not support chaining authentication sources (auth to A, then auth to B if A succeeds), then Duo 2FA and certificate auth may be mutually exclusive. I have only ever looked at a Meraki MX before, years ago, and to my recollection it did not support chained authentication.
If you can somehow chain cert auth so that it's followed by a Duo RADIUS (like https://duo.com/docs/meraki-radius) or LDAP authentication server, it will not be silent and will need the user to interact and satisfy a Duo MFA request upon connect/reconnect.
We also have a Duo SSO SAML app for MX https://duo.com/docs/sso-meraki-secure-client, but I think that using SAML is an either/or config as well.
Meraki support might be the better contact to confirm if your device supports certificate auth followed by external RADIUS or SAML authentication, or maybe someone else in the user community here knows for sure.
08-27-2024 02:11 AM
Hi Kristina, what level of Duo will I be needing for this usecase. The customer is also preferring to use Passwordless Duo with Duo Keys.
08-27-2024 05:50 AM
RADIUS integrations are available in all plans, including Duo free.
Duo Passwordless is only an option for Duo SSO SAML or OIDC applications. Duo SSO is available in all paid plans. When using a Duo SSO federation configuration with some thick client instead of a browser (like a VPN client), that client must be able to show the passive web login for SSO using the OS system browser for webauthn methods to work.
https://duo.com/editions-and-pricing compare plans
If you go to https://duo.com/docs there is a separate overview page for each paid plan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide