01-08-2020 07:04 AM
Hi All,
I had a read of this but unfortunately my issue is different:
So, I have 2 servers.
One is an AD/ADFS/LDAP Server, and another is the DUO Proxy server. DUO is working via ADFS SSO but now I am moving on to setting it up for LDAP for the Solarwinds dashboard.
I have set everything up down to a tee following DUOs guide, added the ldap_server_auto, set up all keys, api etc. I set up a duoservices account (read-only and no admin rights) for duo to use.
The proxy server connects fine and I am not seeing any issues between the proxy and the main DC server.
Internally, 389/636 both connect, 443 is allowed on both server in bound and outbound, 636 is allowed through the firewall which I can see it being allowed. Windows firewall is activated, so I added 636 as an inbound port to this, but I cannot telnet over to the server still from my own PC on port 389 or 636, which is strange.
While Solarwinds nable dashboard uses port 443, I was told to open inbound 636 which is, on the firewall its coming in, the logs are showing me hitting the server on both ports. I have also disabled Windows FW and still can’t telnet.
This is what I have of DUO support:
So, the app would need to be able to reach the authentication proxy through your firewall to port 636 - Done this. Nothings listening on 636 so its possibly why I can’t telnet? Do I need to purchase SSLs for this, or would Lets Encrypt work or better yet, does duo proxy installer not bring SSLs with it?
The authentication proxy will need to communicate on either port 389/636 to your AD server depending on whether ldap/ldaps is used on your internal network. - This works fine.
The authentication proxy will need to be able to communicate outbound via port 443 to the Duo API. - This works fine.
Once this is set up, because the dashboard utilities LDAP and is pointing directly to the DC server, would I need to change it so it points to the proxy server so it authenticates against DUO?
I thought I would ask here instead of going back to support as someone here may have a better understanding of connecting it all so I can use duo to authenticate in to the solarwinds dashboard.
Sorry for my all my questions, still learning duo and just want to get good at it
Cheers,
James
01-10-2020 12:24 PM
Telnet is not a good test to see if the Authentication proxy is listening for LDAP requests. Try LDP, ldapsearch, or another LDAP tool .
If you just want to see what ports are listening on your server, run netstat -na
.
So, the app would need to be able to reach the authentication proxy through your firewall to port 636 - Done this. Nothings listening on 636 so its possibly why I can’t telnet? Do I need to purchase SSLs for this, or would Lets Encrypt work or better yet, does duo proxy installer not bring SSLs with it?
The Authentication proxy has OpenSSL built in. Did you configure a server certificate and key file for [ldap_server__auto]
in the authproxy.cfg
? The Duo proxy needs that to accept incoming LDAPS connections. I don’t recommend a cert from Let’s Encrypt unless you want to update it in the Authentication Proxy directory every 90 days.
Once this is set up, because the dashboard utilities LDAP and is pointing directly to the DC server, would I need to change it so it points to the proxy server so it authenticates against DUO?
Yes, you would point Solarwinds to the Duo Authentication Proxy using LDAP/389 (or LDAPS/636 if you configured SSL), and the Duo Proxy points to your AD DC in turn. When someone logs into the Solarwinds dashboard, the request goes to the Duo proxy. The Duo proxy contacts the DC to perform primary AD auth. If that succeeds, the Duo proxy contacts our service to begin the 2FA process.
You might want to give our LDAP instructions and the Authentication proxy LDAP config info another look.
01-10-2020 12:59 PM
Hi Kristina,
Thank you for your reply.
I should of closed this as I have resolved the issue now, bumped into a few others but I’m getting assistance through support.
I went through all guides again, and got everything working, kind off haha.
Thank you
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide