Articles in this section

See more

Duo Two-Factor Authentication via RADIUS

Robert Waldie
  • Updated
Follow

For a background on two-factor authentication (2FA), please refer to this article.

Like many 2FA solutions, Duo allows network devices, such as Opengear Data Center, Remote Site and Centralized Management products, to integrate with its service using the RADIUS protocol.

Duo configuration

To enable Duo 2FA for your Opengear, follow the steps at: https://duo.com/docs/radius

When following the above instructions, please note: 

  • According to Duo's terminology, the Opengear is the "RADIUS device" that runs a "RADIUS client" to connect to the Duo authentication proxy
  • In Duo's Network Diagram section, the Opengear is the "Application or Service"
  • To enable Opengear's Use Remote Groups feature to control user authorization, you must also:
    • Use a "real" RADIUS server as your primary authenticator, i.e. configure the [radius_client] section of authproxy.cfg
    • In this section set: pass_through_all=true

Example Duo authproxy.cfg

Where the primary authenticator RADIUS server is at 10.11.12.254 and the Opengear is on the 192.168.0.0/24 subnet:

[radius_client]
host=10.11.12.254
secret=primaryserversecret
port=1812
pass_through_all=true

[radius_server_auto]
ikey=XXXXXXXXXXXXXXXXXXXX
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-11111111.duosecurity.com
radius_ip_1=192.168.0.0/24
radius_secret_1=duoproxysecret
client=radius_client
port=1812

Opengear configuration

Duo recommend setting the RADIUS device's client to retry 10 times with a timeout of 10 seconds to allow enough time for the proxy to contact its cloud service and the user to interact.

Opengear's RADIUS client timeout is already 10 seconds, to specify 10 retries simply specify the address of the Duo authentication proxy 10 times.

Opengear GUI configuration

Where the Duo authentication proxy is at 192.168.0.254, under Serial & Network -> Authentication, set:

  • Authentication Configuration -> Authentication Method: RADIUSLocal (or your preferred RADIUS scheme)
  • Authentication Configuration -> Disable Accounting: <checked>
  • RADIUS -> Authentication and Authorization Server Address: 192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254
  • RADIUS -> Server/Confirm Password: duoproxysecret

Opengear CLI configuration

Where the Duo authentication proxy server is at 192.168.0.254:

config -s config.auth.radius.acct_disabled=on
config -s config.auth.radius.auth_server=192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254,192.168.0.254
config -s config.auth.radius.password=duoproxysecret
config -s config.auth.type=RADIUSLocal
config -s config.auth.useremotegroups=on
config -r auth

Testing

You may test as per the Duo instructions, e.g. login to the Opengear specifying the password as: password123,123456 (where your primary authenticator RADIUS password is password123 and your Duo code is 123456).

Ensure that the username exists on the primary authenticator RADIUS server and has also been enrolled using Duo's cloud portal. 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk