Integration Guide. Duo Security Authentication



Similar documents
Integration Guide. Swivel Secure Authentication

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Creating a DUO MFA Service in AWS

Authentication Node Configuration. WatchGuard XTM

Integration Guide. LogicNow MAXfocus

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Fireware XTM v is a maintenance release for XTM 21, XTM 22, and XTM 23 wired and wireless devices.

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Setting Up and Accessing VPN

Two-Factor Authentication

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Initial DUO 2 Factor Setup, Install, Login and Verification

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Global Protect SSL VPN with a user-defined port

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

The University of Texas Rio Grande Valley. Network Security. Create a Virtual Private. Network (VPN) Connection. Network Security How-to:

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Preparing for GO!Enterprise MDM On-Demand Service

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

How do I set up a branch office VPN tunnel with the Management Server?

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

HOTPin Integration Guide: DirectAccess

Managing Qualys Scanners

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Information Technology Services. Your mailbox is moving to the cloud. Here is what to expect.

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

EMR Link Server Interface Installation

A Guide to New Features in Propalms OneGate 4.0

WatchDox SharePoint Beta Guide. Application Version 1.0.0

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Administering Jive Mobile Apps

PineApp Surf-SeCure Quick

Wireless Installation Checklist for Novell GroupWise Environments

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Defender Token Deployment System Quick Start Guide

Advanced Configuration Steps

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring PPP And SIP

D-Link DAP-1360 Repeater Mode Configuration

Connecting an Android to a FortiGate with SSL VPN

Multi-factor Authentication using Radius

Mobile Device Management Solution Hexnode MDM

VMware Identity Manager Administration

Hosted Microsoft Exchange Client Setup & Guide Book

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Cisco ASA 5500 Series

Juniper Networks SSL VPN Implementation Guide

C-more Remote Access with Apple ipad or iphone Tutorial

FTP, IIS, and Firewall Reference and Troubleshooting

Basic Exchange Setup Guide

Installing and Configuring vcloud Connector

Virtual Appliance Setup Guide

Configuring the Watchguard Edge for RADIUS authentication

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

IIS, FTP Server and Windows

Scenario: Remote-Access VPN Configuration

MaaS360 Mobile Enterprise Gateway

Access to Webmail services via a Non Trust Computer

netld External Authentication Setup Guide

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Certificate Management

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Securing your Juniper SSL VPN with two-factor authentication.

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Install and Configure Oracle Outlook Connector

MaaS360 Mobile Enterprise Gateway

LogMeIn Rescue+Mobile for Android

Setting Up Scan to SMB on TaskALFA series MFP s.

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

External Authentication with Citrix Access Gateway Advanced Edition

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Cisco VPN Concentrator Implementation Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

PowerShell Configuration Guide

Cisco AnyConnect VPN for: Windows 8

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

Basic Exchange Setup Guide

Setting Up groov Mobile Apps. Introduction. Setting Up groov Mobile Apps. Using the ios Mobile App

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Scenario: IPsec Remote-Access VPN Configuration

How to set up Outlook Anywhere on your home system

QuickStart Guide for Mobile Device Management

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Transcription:

Integration Guide Duo Security Authentication Revised: 21 January 2016

About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. 2 Duo Integration Guide

Duo Security Integration Overview This document describes the steps to integrate WatchGuard Mobile VPN with SSL client software download access and Mobile VPN with SSL client authentication with Duoo Security s two-factor authenticationn solution. Duo Security offers user authentication by passcode, push, phone or SMS. All of these authentication methodss have been successfully verified for use with Mobile VPN with SSL client software download accesss and to connect to the Firebox with the Mobile VPN with SSL client. The workflow for two-factor authenticatio on through integration with Duo is shown here: 1. The user initiates primary authentication to the WatchGuard Firebox. 2. The Firebox sends an authentication request to Duo s Authentication Proxy. 3. The Authentication Proxy completes primary authentication using RADIUS. 4. The Authentication Proxy establishes a secure connection to the Duo Security service. 5. Secondary authentication is conducted through the Duo Security service. 6. The Authentication Proxy receives a secondary authentication result from the Duo Security service. 7. The Firebox grants the user access. Platform and Software The hardware and software used to complete the steps outlinedd in this document include: Firebox XTM 5 Series device installed with Fireware v11.10.x Duoauthproxy-2.4.144 on Windows Freeradius-server-2. 2.3 Duo Mobile Application 3.9.7 on Android Duo Integration Guide 3

Two-Factor Authentication Methods When using two-factor authentication, you can use any of the four secondary authentication methods supported by Duo in the Password field when you log in to the Firebox. In the examples below, the username is leezy, the password is zgy$t@rdst and the Duo provided passcode is 011016. 1 1. <password>,<passcode> In addition to the password, the user provides a passcode obtained through the Duo Mobile App. Example: 2. <password>,push Username: leezy Password: zgy$t@rdst,011016 After the username, password and key word push are submitted to the Firebox, the user must approve the subsequent authentication request in Duo s Mobile App on their phone. Example: Username leezy Password zgy$t@rdst,push 3. <password>,phone. After the username, password, and key word phone are submitted to the Firebox, the user must approve the subsequent authentication request by pressing any digit on their phone panel. Example: Username leezy Password zgy$t@rdst,phone 4. <password>, sms The initial submission of username, password and key word sms to the Firebox (this authentication attempt is expected to fail) causes the user to receive ten passcodes on their phone through SMS. The user then conducts a new authentication request, this time specifying one of the received passcodes (as shown in option 1 above). Example: 1 In the actual Firebox provided authentication UI, the password will be obscured; the password field contents are shown here in clear text solely for purposes of illustration. 4 Duo Integration Guide

Username leezy Password zgy$t@rdst,sms Configuration To complete this integration, you must have: Duo account Duo Authentication Proxy RADIUS server WatchGuard Firebox The Duo account is used to log in to the Duo Service to manage applications, enroll users, and get integration keys. The Duo Authentication Proxy acts as a bridge, communicating with the RADIUS server, the Duo Security service in the cloud, the WatchGuard Firebox, and the Duo Mobile App. The RADIUS server is used for primary user authentication. In the tested configuration, the Duo Authentication Proxy and the RADIUS server were located on the same subnet. Create a Duo Account To create a Duo account: 1. Sign up for a Duo account. 2. Log in to the Duo Admin Panel and select Applications. 3. Select Protect an Application and find RADIUS in the applications list. 4. Select Protect this Application to get an integration key, secret key, and API hostname. 5. Select User and enroll the user as defined on the RADIUS server into Duo, including the user s phone number. 6. After enrollment, activate the user. Configure the Duo Authentication Proxy for Primary Authentication The Duo Authentication proxy is the system that validates users existing passwords. In most cases you must configure the proxy to communicate with a RADIUS server. To configure the proxy, add a [radius_client] section at the top of the file that includes properties described below. All properties are required. Properties Description host The IP address of the RADIUS server secret A secret to be shared between the proxy and the RADIUS server Duo Integration Guide 5

For example: [radius_client] host=172.16.1.28 secret=password Make sure that the RADIUS server is configured to accept authentication requests from the Duo Authentication Proxy. Configure the Duo Authentication Proxy to Work with the Firebox To set up the Duo Authentication Proxy to work with the Firebox, create a [radius_server_auto] section in the Proxy configuration file that includes the properties described below. All properties are required. Make sure to save the configuration file when you are done. Properties Description ikey The integration key in Error! Reference source not found.. skey The secret key in Error! Reference source not found.. api_host The api host in Error! Reference source not found.: radius_ip_1 The IP address of the Firebox that is connected to the Proxy. radius_secret_1 A secret to be shared between the Proxy and the Firebox. client Set this to radius client, which means the proxy will use RADIUS for primary authentication. Make sure a [radius_client] section as described above is configured. An example configuration file that uses RADIUS could look like this: [radius_client] host=172.16.1.28 secret=password [radius_server_auto] ikey=di5g8wl3f2splzibvhed skey=seyhfvljr2ork5og8rwvkxixxxxxxxxx api_host=api-77800a8d.duosecurity.com radius_ip_1=172.16.1.1 radius_secret_1=password client=radius_client port=1812 failmode=safe 6 Duo Integration Guide

Start the Duo Authentication Proxy On the Windows computer where the Duo Authentication Proxy is installed, open an Administrator command prompt and type the command: net start DuoAuthProxy Configure RADIUS Authentication Server on the Firebox From WatchGuard System Manager, open Policy Manager and configure the Firebox to use RADIUS authentication. 1. From Policy Manager, select Setup > Authentication > Authentication Servers. 2. On the RADIUS tab, configure these properties: a. IP Address the IP address of the Duo Authentication Proxy b. Secret the RADIUS secret configured on the Duo Authentication Proxy c. Timeout Set this to at least 60 seconds Duo Integration Guide 7

3. Click OK to add the new RADIUS server. Configure a User Group on the Firebox 1. Select Setup > Authentication > Authorized Users/Groups and add a user. 2. If you want, you can use the default SSLVPN-Users group for authentication. Or, you can add the names of users and groups to match those defined on your RADIUS server. 8 Duo Integration Guide

Configure Mobile VPN with SSL on the Firebox 1. From Policy Manager select VPN > Mobile VPN > SSL. 2. Configure these settings on the General tab: Select the Activate Mobile VPN with SSL check box. Type the IP address or domain name to which the mobile clients will connect. Configure networking settings and add and IP address pool if required. Duo Integration Guide 9

3. Configure these settings on the Authentication tab: Select the RADIUS server. We recommend that you enable the option Force users to authenticate after a connection is lost but it is not required. 10 Duo Integration Guide

4. Click OK. Note: When Mobile VPN with SSL is activated, an SSLVPN-Users user group and a WatchGuard SSLVPN policy are automatically created and added to your configuration to allow SSL VPN connections from the Internet to the external interface. It is possible to use these groups or create new groups that match the user group names defined on the authentication server. Duo Integration Guide 11

Mobile VPN with SSL Client Software Download To download Mobile VPN with SSL client software, connect to your Firebox with this URL: https://[device_interface_ip_address]:410/sslvpn.html Here is an example of the authentication page: You can use any of the four supported two-factor authentication methods described in the Two-Factor Authentication Methods section above. Review the content carefully for syntax, but usually you will type the password followed by a comma and the additional information required for the method you choose. The options are: <password>,<passcode> <password>,push <password>,phone <password>,sms When authentication is successful, this is what you see: 12 Duo Integration Guide

From this page you can download the Mobile VPN with SSL client software that matches your computer operating system. Mobile VPN with SSL Client Authentication After the Mobile VPN with SSL client is downloaded and configured on your computer, you can use any of the four supported two-factor authentication methods to connect to your Firebox with the Mobile VPN client software. These methods are described in the Two-Factor Authentication Methods section above. Review the content carefully for syntax, but usually you will type the password followed by a comma and the additional information required for the method you choose. The options are: <password>,<passcode> <password>,push <password>,phone <password>,sms The authentication screen looks like this: Duo Integration Guide 13

14 Duo Integration Guide