cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
44757
Views
5
Helpful
24
Replies

Integrate Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance)?

TheZealous
Level 1
Level 1

Hello guys,

I am in a position where I am unable to find a solution to rollout Duo with VMware VCSA 6.5 (VMware vCenter Server Appliance). I called Duo Support and they provided me the 2 solutions, using Proxy LDAP or Radius authentication. I reviewed the VMware documentation and found out these 2 methods are not supported by VMware. https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-ACFFCBEC-6C1C-4BF9-9971-04AEE9362AFE.html

I am writing this post in the hope that anyone out there can share some light into this problem? I am sure someone have already tried to implement DUO with their VMware environment already. What is your solution and how do you please?

Thanks,
T.

24 Replies 24

DuoKristina
Cisco Employee
Cisco Employee

While you’re right that VMWare removed support for other RADIUS two-factor providers in vSphere (gotta love corporate synergy), LDAP authentication is still supported.

With that said, we don’t recommend or support Duo MFA with vCenter SSO because we found that in some vCenter configurations it’s trivially easy to bypass two-factor.

Thanks for trying Duo!

Duo, not DUO.

The vCenter SSO “Use Windows session authentication” does not apply to us because we use a different superadmin account with Domain Admins access to login into vCenter instead of our regular normal login account.

I got the LDAP authentication working with DUO. However, I cannot get the DUO login screen to come up so that I can choose to “Send a Push, Call me, or Enter a passcode” or choose Hardware tokens as the MFA method to login. With that said, as soon as I enter my username and password, click login, I immediately get the Duo Push notification on my phone right away. It didn’t let me choose if I can use my hardware token to login. This will be an issue when we don’t have access to our phone or if the phone run out of battery. Is there away that I can get the Duo login screen to come up when using LDAP authentication please?

Thanks,
T.

Sorry, there is no way to show the interactive, browser-based Duo Prompt in your configuration. The [ldap_server_auto] configuration implies exactly that: it defaults to automatic Duo auth request during ldap auth.

You can find a full explanation of which Duo factor types may be used with the Authentication Proxy’s LDAP server config in our LDAP application documentation.

Duo, not DUO.

Could you elaborate how ldap authentication working with DUO?

I actually configured duo proxy (with AD over ldap) configured as default identity resource successfully, but when logging into vCenter, it does not send me a push but failed right away

BTW, I know duo, duo proxy are good - they are used for other services

Can you comment more on the nature of the bypass ability/support for venter SSO or is that a support case type conversation? I don’t see a public kb/statement on the issues.

  1. You configure LDAP auth with vCenter pointing to the Duo Authentication Proxy.
  2. Users on Windows workstations may use integrated/SSPI authentication to sign into vCenter (the “Use Windows session authentication” option TheZealous mentioned earlier in this thread).
  3. Integrated/SSPI logins aren’t using the vCenter’s Duo LDAP authenticator, so they don’t get 2FA.

This doesn’t apply if you’re in an environment where nobody can sign into vCenter with Windows pass-through creds.

Duo, not DUO.

TheZealous
Level 1
Level 1

Thanks Kristina. In that case, do we have a workaround so the situation when my phone battery is out and I have the hardware token with me… ?

Excerpt from linked documentation (emphasis mine):

When you enter your username and password, you will receive an automatic push or phone callback. Alternatively you can add a comma (",") to the end of your password, followed by a Duo passcode.

So, use the token passcode as your Duo passcode.

It’s also a good idea to have more than one device enrolled in Duo as a backup, like a landline or Google Voice number. Then you’d specify the other phone with password,phone2.

Duo, not DUO.

TheZealous
Level 1
Level 1

This alternative work-around works. Thanks!

millerhd
Level 1
Level 1

I’m trying to use Duo for VCenter as well. I understand the Use Windows Authentication issue, my plan is to disable that feature with the sso-config.sh option.

The issue i’m having is i can’t get LDAP to function correctly. I can get it to prompt me but it keeps doing the binding login and the regular login as well even if i specify the below for my domain.
exempt_primary_bind=false
exempt_ou_1=CN=ldaplookup,dc=acme,dc=org

If you were able to get this working for Vcenter, what does your ldapserver section look like?

It would look like that, but the service account username in vCenter must also be in DN format, not just the sAMAccountName or UPN.

Duo, not DUO.

I do have vcenter LDAP settings using DN; however, it still keeps prompting me for the Duo on the service account and then my account and then back to server and then mine. It’s an endless loop, never gets me in.

This is what i have for the ldap setting in the proxy, does this look correct? I’m using a weird port as i have a few ldaps setup with the proxy.

[ldap_server_auto2]
client=ad_client
ikey=###
skey=###
■■■■
exempt_primary_bind=false
exempt_ou_1=CN=USER,CN=Users,DC=DOMAIN,DC=local
port=18225
failmode=secure

Nix that remark, it seems vmware was picky and not saving my DN change to the setup. It looks to be working now with the above setting and the user setup to be exempt in DN format.

Thank you!