Duo Two-Factor Authentication via RADIUS

Like many 2FA solutions, Duo allows network devices, such as WTI device and products to integrate with its service using the RADIUS protocol.


Duo configuration

To enable Duo 2FA for your WTI Device, follow the steps at: https://duo.com/docs/radius


When following the above instructions, please note:

  • According to Duo's terminology, the WTI Device is the "RADIUS device" that runs a "RADIUS client" to connect to the Duo authentication proxy
  • In Duo's Network Diagram section, the WTI Device is the "Application or Service"
  • To enable WTI's RADIUS Dictionary capability to control user authorization, you must also:
    • Use a "real" RADIUS server as your primary authenticator, i.e. configure the [radius_client] section of authproxy.cfg
    • In this section set: pass_through_all=true

Duo proxy config: authproxy.cfg

The Duo proxy config file should be on the machine you installed the Duo proxy program, at this file location:


/opt/duoauthproxy/conf/authproxy.cfg


The actual primary authenticator,RADIUS server is at 192.10.10.55


The WTI Device is 192.168.100.33:


[radius_client]


host=192.10.10.55


secret=primaryradiusserversecret


port=1812


pass_through_all=true



[radius_server_auto]


ikey=OXOXOXOXOXOXOXOXOXOX


skey=AYAYAYAYAYAYAYAYAYAYAYAYAYAYAYAYAYAYAYAY


api_host=api-12345678.duosecurity.com


radius_ip_1=192.168.100.33


radius_secret_1=duoproxysecret


client=radius_client


port=1812




WTI Device configuration

Duo recommend setting the RADIUS device's client to retry 10 times with a timeout of 10 seconds to allow enough time for the proxy to contact its cloud service and the user to interact.


Where the Duo authentication proxy is at 192.168.100.70:


Set the WTI Device RADIUS settings to the following:

  • Primary Host/Address: 192.168.100.70
  • Primary Secret Word: duoproxysecret
  • Fallback Timer: 10 Sec
  • Retries: 10
  • Session Module Type: Disable

If you are using the web interface

  • OneTime Auth: On
  • OneTime Auth Timer: 5


Testing


You may test as per the Duo instructions, e.g. login to the WTI Device specifying the password as: password123,123456 (where your primary authenticator RADIUS password is password123 and your Duo code is 123456). You can also use the DUO Push, Text or Phone call to test your configuration.


Ensure that the username exists on the primary authenticator RADIUS server and has also been enrolled using Duo's cloud portal.



NOTES


To change the WTI Device RADIUS configuration, login to the WTI device and issue the following commands:

  • /n
  • 29

This will get you to the RADIUS configuration menu


Published on

Tags: