cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
870
Views
2
Helpful
4
Replies

Certificate authentication with NPS and 2FA by Duo

eshaq786
Level 1
Level 1

Hi

I am trying to get Duo 2FA working on my NPS server which handles user certificate authentication from our VPN which is a windows client connecting into a Fortigate.

There doesnt seem to be a way to make this work. So far I have NPS working and authenticating correctly with user certificates. I just need to somehow add Duo 2FA into the mix. I already have a Duo Auth Proxy setup which handles RADIUS requests for other bits on our network but it doesnt seem to handle user certificate authentication.

Anyone know how I can make Duo work with certificate authentication from a VPN client?

1 Accepted Solution

Accepted Solutions

eshaq786
Level 1
Level 1

UPDATE:

Thought I would answer my own question as i appear to have got it working.

It does appear that the Duo Auth Proxy does support certificate authentication when that primary request is passed to an NPS server that is configured to accept certificate requests. The documentation doesn't explicitly say this though. You do just need to add the RADIUS portion in the auth proxy config. 

What i found was that the certificate request that is sent by the client essentially contains the username details in the request. It does essentially use a form of EAP-MSCHAPv2 which is documented but certificates are classed as EAP-TLS. Maybe Duo could update their documentation.

Either way, the username part is sent to the auth proxy which then sends it to another RADIUS server (NPS) which does a primary authentication check of the certificate. A success message is sent back to the auth proxy which does the final 2FA check before responding back to the client.

Also remember, your application needs to have normalisation turned on so that it is able to normalise usernames in whatever form received e.g. domain/username, username@domain, username, etc.

View solution in original post

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

Duo RADIUS (the Authentication Proxy) doesn't support certificates for user authentication. So, if your config is like radius_server_auto with radius_client (where the Duo proxy RADIUS config passes an authentication to another RADIUS server for primary authentication), it needs to receive an actual username and password in the RADIUS packet to perform primary authentication.

What I would usually advise here is to configure the Duo Authentication Proxy for RADIUS 2FA only, so it doesn't try to perform primary authentication. The config for this is either radius_server_duo_only with no client value defined, or another RADIUS config like radius_server_auto with the client set to duo_only_client. With these configurations the authenticating device or service handles primary auth, direct to an AD/LDAP/RADIUS server or using certificates, and then only sends a secondary authentication request to Duo.

The catch is that this Duo-only config can only work with devices or services that can CHAIN authentication servers, as in, auth to server1 (primary auth) and then also auth to server2 (Duo); if server1 auth fails do not fail over to server2. I know 100% this config works on an ASA using certificates for users because I tried it. However, I am not sure that a FortiGate supports this. My last hands-on with a FortiGate was FortiOS 5 or 6, but my recollection was that it did failover auth and not chained auth when multiple auth servers are defined. You can check with Fortigate support.

Read more about Duo-only auth configs in the Authentication Proxy reference:

https://duo.com/docs/authproxy-reference#duo_only_client

https://duo.com/docs/authproxy-reference#radius-duo-only

Duo, not DUO.

eshaq786
Level 1
Level 1

UPDATE:

Thought I would answer my own question as i appear to have got it working.

It does appear that the Duo Auth Proxy does support certificate authentication when that primary request is passed to an NPS server that is configured to accept certificate requests. The documentation doesn't explicitly say this though. You do just need to add the RADIUS portion in the auth proxy config. 

What i found was that the certificate request that is sent by the client essentially contains the username details in the request. It does essentially use a form of EAP-MSCHAPv2 which is documented but certificates are classed as EAP-TLS. Maybe Duo could update their documentation.

Either way, the username part is sent to the auth proxy which then sends it to another RADIUS server (NPS) which does a primary authentication check of the certificate. A success message is sent back to the auth proxy which does the final 2FA check before responding back to the client.

Also remember, your application needs to have normalisation turned on so that it is able to normalise usernames in whatever form received e.g. domain/username, username@domain, username, etc.

Ah, OK. Yes, with MSCHAPv2/EAP the proxy just passes through the RADIUS packet as is to the upstream server and doesn't attempt to perform certificate auth itself.

Duo, not DUO.

I have the same situation. Thank you for coming back and posting this information.

Quick Links