Secure you IT infrastructure and business by implementing 2-Factor-Authentication ( 2FA/MFA). My company Controlled Neworks has been using DUO for sometimes in most of the customer's environment. We can provide DUO Multi-Factor services including Licensing and software.
In this blog I will be setting up Duo Security 2FA and Integrate with Unified Access Gateway. This will include installing Duo Authentication Proxy Server as well.
First:
Setup Duo Authentication Proxy Server:
1. Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe.
2. Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.
Once done with the Authentication Proxy installation, open the “Authentication Proxy configuration” file.
NOTE: Recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows. Also take a backup of the existing file before modification
Sample configuration (Default):
; Complete documentation about the Duo Auth Proxy can be found here:
; https://duo.com/docs/authproxy_reference
; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.
; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
;[main]
; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])
[ad_client]
host=
service_account_username=
service_account_password
search_dn=
; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)
[radius_server_auto]
ikey=
skey=
api_host=
radius_ip_1=
radius_secret_1=
failmode=safe
client=ad_client
port=1812
NOTE: In my lab I do not have Radius and hence we will configure the setup with ad_client.
[ad_client]host=DC.IP.0.1host_2=DC.IP.0.2service_account_username=serviceaccountservice_account_password=serviceaccountpasswordsearch_dn=DC=domain,DC=com
Prior configuring the Radius server setting, a new application needs to be created in the Duo Administrator Console. Below are the steps.
1. Log into the Duo Admin Console.
2. Click Applications
3. Click Protect an Application
4. Scroll down to VMware View and select “Protect this Application.”
5. Copy the Integration Key, Secret Key, and API Hostname.
6. Change the username normalization option to “Simple.”
Once done, the next step is to configure the Authentication Proxy as Radius service.
Below are the options used by Duo to interact with client service.
These options include:
RADIUS_Auto: The user’s authentication factor, and the device that receives the factor, is automatically selected by Duo.
RADIUS_Challenge: The user receives a textual challenge after primary authentication is complete. The user then selects the authentication factor and device that it is received on.
RADIUS_Duo_Only: The RADIUS service does not handle primary authentication, and the user’s passcode or factor choice is used as the RADIUS password.
Different type of Authentication factors supported by DUO:
Passcode: A time-based one-time password that is generated by the mobile app.
Push: A challenge is pushed to the user’s mobile device with the Duo mobile app installed. The user approves the access request to continue sign-in.
Phone Call: Users can opt to receive a phone call with their one-time passcode.
SMS: Users can opt to receive a text message with their one-time passcode.
For this setup I will use RADIUS_Challenge .
The RADIUS server configuration for the Horizon Unified Access Gateway is:
[radius_server_challenge] ikey=random key generated by the Duo Admin Console skey=random key generated by the Duo Admin Console api_host=api-xxxx.duosecurity.com [generated by the Duo Admin Console] failmode=secure client=ad_client radius_ip_1=IP Address of UAG / View Connection server radius_secret_1=SecretPassForDuoUAGorView port=1812 prompt_format=short
The above configuration is set to fail secure. This means that if the Duo service is not available, users will be unable to log in. The other option that was selected was a short prompt format. This displays a simple text message with the options that are available and prompts the user to select one.
Save the authproxy.cfg file and restart the Duo Authentication Proxy service for the new settings to take effect.
7. Save the file
8. Restart Duo Authentication Proxy either via services.msc or using below command
net stop DuoAuthProxy & net start DuoAuthProxy
NOTE: In case if it fail to start the service, please refer to
The next step is to configure the Unified Access Gateway to use Radius.
1. Login to UAG
2. Click on the configuration section.
3. Under Authentication settings click on Radius
4. Configure Radius Auth
5. Under Edge settings, click on Horizon and then click more and set the “Auth Methods” to Radius
6. Enable the “Match Windows UserName” and “Enable Windows SSO”
Now, we can test the configuration by connecting Unified Access Gateway from external network.
NOTE: In case if it prompt to enroll yourself. Launch the URL shown while login in for 2FA