Setting Up DUO with RADIUS
Users prefer Pleasant Password Server with a KeePass client!
(Versions 7.4+)
Password Server supports authenticating with DUO with a RADIUS proxy as a Two-Factor Provider, and allows use of the DUO Push technology.
Prerequisite:
- DUO configuration steps
Configure DUO
Download DUO proxy
- For example, download DUO Authentication proxy from here:
Modify the Config File
- authproxy.cfg file
[duo_only_client]
[radius_server_auto]
ikey=[FROMDUO]
skey=[FROMDUO]
api_host=[FROMDUO]
failmode=safe
radius_ip_1=[DUO PROXY IP ADDRESS]
client=duo_only_client
radius_secret_1=testing123
Once the DUO system config has been setup (ikey, skey, and api_host), you can use these values for the Password Server config.
Password Server Configuration
- Users are able to authenticate through a single-step logon procedure able to output text into a web form. For example, a static password or most One-Time Password (OTP) Providers will be sufficient.
-
Users with the same username in Password Server as they have in RADIUS. This will likely be the case if both Password Server and RADIUS are importing from the same LDAP server.
In Password Server itself, the configuration is simple.
- Go to Users and Roles > Manage Policies and click the name of the user policy containing the users you want to authenticate against RADIUS.
- Scroll down to Two Factor Policy and look for RADIUS in the configuration list. Click the [Configure] link in that row.
- Using the details required by RSA SecurID, fill in the fields:
- Set Enabled to True
- Set "User Can Self-Enroll in this Provider"
- Server Address
- Server Port
- Select an Authentication Protocol - enabled for RSA SecurID
- See: available protocols
- Shared Secret
- Click Save.
- Server address: is the IP address of your DUO proxy server.
- Port: 1812
- NAS Identifier or IP Address: is an optional attribute. Some servers require it but if yours doesn't you can ignore it.
- Authentication Protocol: PAP
- Shared Secret: testing123 [for example]
Attach and Enroll Users
Additional Users can be attached to this policy by either:
- Setting a Role policy: from Policies -> Set the Role Policy or Edit -> Set Policy
- Setting a User's policy: From Manage Users -> Click User name -> Edit -> Change policy
-
Setting it as the Users' default Policy: From Policies -> Edit -> Global Settings -> Set the Default Policy
Disabled: Users attached to the policy will show as disabled, until they are enabled or enrolled or self-enrolled.
Enabling 2FA for a User
Two-Factor Authentication can also be enabled individually for all users you would like to authenticate against a RADIUS server:
- Go to Users and Roles > Manage Users and click the name of the user you want to enable RADIUS for.
- Scroll down to Policy Information and look for RADIUS in the Two Factor Authentication list. Click the [Configure] link in that row.
- Click the Enable button on that screen. The user will now be prompted for a password for the RADIUS server each time they log in.
- If RADIUS needs to be disabled for a user, you can go back to the previous screen and a Disable button will be present instead of the Enable button.
User Configuration and Self-Enrollment
The prompt is the same: for user configuration setup, and subsequently, for each time they use 2FA:
-
"Please enter the one-time password or secret code."
Configuration error:
-
"RADIUS configuration failed. Please try again"
Token entry error:
-
"Invalid two-factor token. Please try again"
Using RADIUS via Duo
The support documentation on Duo's website has instructions for setting up the Duo proxy service as a RADIUS server or client.
- Be sure to follow the above instructions until the "start the proxy" step.
Setup Requirement: The only requirement for using this setup with Password Server is that PAP must be selected as the authentication protocol in the policy configuration.
When a user logs in, they must type in both their password and Duo token as described in Duo's documentation here. If you are using the Duo-only client, this is unnecessary; users just need to type in their Duo token to authenticate.
Push Notification is also possible if we type "push" in as the token.