Configuring Duo Two-Factor Authentication

About this task:

You can configure the Duo RADIUS server as the primary authentication source. This approach uses the Duo RADIUS Authentication Proxy. (You cannot use a direct connection with the Duo Cloud Service over LDAPS.)

For the detailed steps to configure Duo, see https://duo.com/docs/cisco-firepower.

You would then configure Duo to forward authentication requests directed to the proxy server to use another RADIUS server, or an AD server, as the first authentication factor, and the Duo Cloud Service as the second factor.

When using this approach, the user must authenticate using a username that is configured on both the Duo Cloud or web server, and the associated RADIUS server. The user must enter the password configured in the RADIUS server, followed by one of the following Duo codes:

Duo-passcode. For example, my-password,123456.
push. For example, my-password,push. Use push to tell Duo to send a push authentication to the Duo Mobile app, which the user must have already installed and registered.
sms. For example, my-password,sms. Use sms to tell Duo to send an SMS message with a new batch of passcodes to the user’s mobile device. The user’s authentication attempt will fail when using sms. The user must then re-authenticate and enter the new passcode as the secondary factor.
phone. For example, my-password,phone. Use phone to authenticate using phone callback.

For more information on login options with examples, see https://guide.duo.com/anyconnect.

Before you begin:

Before configuring two-factor authentication with Duo Authentication Proxy on threat defense, ensure that you complete the following configurations:

Configure a working primary authentication (RADIUS or AD) for your remote access VPN users before you begin to deploy Duo.
Install Duo proxy service on a Windows or Linux machine within your network to integrate Duo with Secure Firewall Threat Defense remote access VPN. This Duo proxy server also acts as a RADIUS server.

Download and install the most recent Duo authentication proxy from the following location:
- Windows: https://dl.duosecurity.com/duoauthproxy-latest.exe
- Linux: https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
- Verify the checksum at https://duo.com/docs/checksums#duo-authentication-proxy.
Configure Duo authentication file authproxy.cfg. Follow instructions on the https://duo.com/docs/cisco-firepower#configure-the-proxy page to configure the authentication configuration settings.

The authproxy.cfg configuration file must contain the details for RADIUS or ISE server, threat defense device, Duo proxy server details, Integration Key, Secret key, and API host details.
Ensure that you have the right API host information in the authproxy.cfg file.
Configure other required settings such as secondary authentication factor in the newly installed Duo proxy server at Duo Security Server > Duo Admin Panel > Applications > CISCO RADIUS VPN.

Procedure

Do This

More Info

Step 1

Log on to your Secure Firewall Management Center web interface.

Step 2

Create a RADIUS server group.

RADIUS Server Group Options

Step 3

Create a RADIUS Server object within the new RADIUS server group with Duo proxy server as the host with a timeout of 60 seconds or more.

RADIUS Server Options

Note	For two-factor authentication, make sure that the timeout is updated to 60 seconds or more in the Secure Client Profile XML file as well.

Step 4

Configure a new remote access VPN policy using the wizard or edit an existing remote access VPN policy.

Create a New Remote Access VPN Policy

Step 5

Select RADIUS as the authentication server and then select the RADIUS server group created with the Duo proxy server as the authentication server.

Configure AAA Settings for Remote Access VPN

Step 7

Deploy the configuration changes.

Deploy Configuration Changes