Duo 2FA Integration with Opengear Appliances

Before configuring Duo 2FA for Opengear, ensure the following:

1. You have an active Duo account and have configured your Duo application. (https://duo.com/docs/radius)

2. Your Opengear device is a member of one of the following product families: OM22xx, OM12xx, or CM8100.

3. You have access to the Opengear device's web interface or CLI.

4. You have a "real" RADIUS server set up to use as your primary authenticator on Opengear devices.

5. You have the necessary credentials and permissions to configure the Opengear device and the primary authenticator RADIUS server.

By meeting the above prerequisites, you can proceed to configure Duo 2FA for your Opengear device by following the instructions provided in the article.

This guide explains how to configure Duo 2FA for Opengear devices, allowing them to integrate with the Duo service using the RADIUS protocol.

Products and Firmware:

• Product Family: OM22xx, OM12xx, and CM8100
• Firmware: Any
• FAQ was written on release 23.03.1

Duo Configuration:

1. To enable Duo 2FA for your Opengear device, follow the steps outlined in this article: https://duo.com/docs/radius

2. When following the instructions, note the following:

• According to Duo's terminology, the Opengear is the "RADIUS device" that runs a "RADIUS client" to connect to the Duo authentication proxy.
• In Duo's Network Diagram section, the Opengear is the "Application or Service."
• To enable Opengear's Use Remote Groups feature to control user authorization, you must also use a "real" RADIUS server as your primary authenticator, i.e. configure the [radius_client] section of authproxy.cfg.
• In the [radius_client] section of authproxy.cfg, set pass_through_all=true.

An example where the primary authenticator RADIUS server is at 10.3.10.50 and the Opengear is on the 10.3.10.0/24 subnet:

[radius_client]
host=10.3.10.50
secret=primaryserversecret
port=1812
pass_through_all=true

[radius_server_auto]
failmode=safe
ikey=XXXXXXXXXXXXXXXXXXXX
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-11111111.duosecurity.com
radius_ip_1=10.3.10.0/24
radius_secret_1=duoproxysecret
client=radius_client
port=1812

Opengear Configuration:

1. Duo recommends setting the RADIUS device's client to retry 10 times with a timeout of 10 seconds to allow enough time for the proxy to contact its cloud service and the user to interact. Opengear's RADIUS client timeout is already 10 seconds, so to specify 10 retries, specify the address of the Duo authentication proxy 10 times.

2. Opengear GUI Configuration:

• Where the Duo authentication proxy is at 10.3.10.135, under CONFIGURE -> USER MANAGEMENT -> Remote Authentication, set:

  • Mode ->: RADIUS
  • Policy ->: Radius Local or RADIUS DownLocal
  • REMOTE AUTHENTICATION SERVICES -> Address:
    10.3.10.135 (You can add more instances of the same IP to provide a longer Timeout)
  • REMOTE AUTHENTICATION SERVICES -> Server Password/Confirm Server Password: duoproxysecret

  

  

3. Opengear CLI Configuration:
   

   Where the Duo authentication proxy server is at 10.3.10.135:

    

   #Access the Config shell:

   config

   
   
   #Configure Radius:

   edit auth mode radius
   edit auth policy remotedownlocal
   edit auth radiusPassword duoproxysecret
   auth radiusAuthenticationServers
   add hostname 10.3.10.135 port 1812
   add hostname 10.3.10.135 port 1812
   add hostname 10.3.10.135 port 1812
   add hostname 10.3.10.135 port 1812

   
   
   
   #Back to top, Verify that the changes look correct:

   top
   changes

   
   
   #Apply the Config:

   apply all
   exit

   
   

   Alternatively, you can paste your config right into the Opengear Linux Shell (At a # or $ prompt):

   config replace auth <<'END'
    ldapAuthenticationServers=[]
    ldapIgnoreReferrals=false
    mode="radius"
    policy="remotedownlocal"
    radiusAccountingServers=[]
    radiusAuthenticationServers[0].hostname="10.3.10.135"
    radiusAuthenticationServers[0].port=1812
    radiusAuthenticationServers[1].hostname="10.3.10.135"
    radiusAuthenticationServers[1].port=1812
    radiusAuthenticationServers[2].hostname="10.3.10.135"
    radiusAuthenticationServers[2].port=1812
    radiusAuthenticationServers[3].hostname="10.3.10.135"
    radiusAuthenticationServers[3].port=1812
    radiusAuthenticationServers[4].hostname="10.3.10.135"
    radiusAuthenticationServers[4].port=1812
    radiusAuthenticationServers[5].hostname="10.3.10.135"
    radiusAuthenticationServers[5].port=1812
    radiusPassword="duoproxysecret"
    tacacsAccountingEnabled=true
    tacacsAuthenticationServers=[]
   END

   Testing

   To test the 2FA integration:

   1. Ensure that the username exists on the primary authenticator RADIUS server and has also been enrolled using Duo's cloud portal. 

   2. Access the Opengear GUI or CLI

   3. You may test as per the Duo instructions, There are several methods to test the Append Mode e.g. login to the Opengear specifying the password as: password123,123456 (where your primary authenticator RADIUS password is password123 and your Duo code is 123456). Entering the Username/Password with nothing appended defaults to a 2FA Push.

       

      

      If the integration does not work as expected, refer to Duo's documentation or contact Duo support for further assistance.