For a background on two-factor authentication (2FA), please refer to this article.
Like many 2FA solutions, Duo allows network devices, such as Opengear Data Center, Remote Site and Centralized Management products, to integrate with its service using the RADIUS protocol.
Duo configuration
To enable Duo 2FA for your Opengear, follow the steps at: https://duo.com/docs/radius
When following the above instructions, please note:
- According to Duo's terminology, the Opengear is the "RADIUS device" that runs a "RADIUS client" to connect to the Duo authentication proxy
- In Duo's Network Diagram section, the Opengear is the "Application or Service"
- To enable Opengear's Use Remote Groups feature to control user authorization, you must also:
- Use a "real" RADIUS server as your primary authenticator, i.e. configure the
[radius_client]
section of authproxy.cfg - In this section set:
pass_through_all=true
Example Duo authproxy.cfg
Where the primary authenticator RADIUS server is at 10.11.12.254 and the Opengear is on the 192.168.0.0/24 subnet:
[radius_client] host=10.11.12.254 secret=primaryserversecret port=1812 pass_through_all=true [radius_server_auto] ikey=XXXXXXXXXXXXXXXXXXXX skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY api_host=api-11111111.duosecurity.com radius_ip_1=192.168.0.0/24 radius_secret_1=duoproxysecret client=radius_client port=1812
Opengear configuration
Duo recommend setting the RADIUS device's client to retry 10 times with a timeout of 10 seconds to allow enough time for the proxy to contact its cloud service and the user to interact.
Opengear's RADIUS client timeout is already 10 seconds, to specify 10 retries simply specify the address of the Duo authentication proxy 10 times.
Opengear GUI configuration
Where the Duo authentication proxy is at 192.168.0.254, under Serial & Network -> Authentication, set:
- Authentication Configuration -> Authentication Method: RADIUSLocal (or your preferred RADIUS scheme)
- Authentication Configuration -> Disable Accounting: <checked>
- RADIUS -> Authentication and Authorization Server Address: 192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254
- RADIUS -> Server/Confirm Password: duoproxysecret
Opengear CLI configuration
Where the Duo authentication proxy server is at 192.168.0.254:
config -s config.auth.radius.acct_disabled=on config -s config.auth.radius.auth_server=192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254 config -s config.auth.radius.password=duoproxysecret config -s config.auth.type=RADIUSLocal config -s config.auth.useremotegroups=on config -r auth
Testing
You may test as per the Duo instructions, e.g. login to the Opengear specifying the password as: password123,123456 (where your primary authenticator RADIUS password is password123 and your Duo code is 123456).
Ensure that the username exists on the primary authenticator RADIUS server and has also been enrolled using Duo's cloud portal.
Comments
0 comments
Article is closed for comments.