💡Duo Security Authentication Integration Guide

Zyxel_Avani

🛡️Duo Security and USG FLEX H Integration Overview

This document describes the steps to integrate USG FLEX H series remote access VPN and SecuExtender VPN client authentication with Duo Security’s two-factor authentication solution. This integration uses an existing NPS server installed on a domain controller that also contains the Duo Security Authentication Proxy.

USG FLEX H series integration with Duo Security - How it works?

1. A user initiates primary authentication to the USG FLEX H.
2. The USG FLEX H sends an authentication request to the Duo Security Authentication Proxy.
3. The Authentication Proxy completes primary authentication using RADIUS.
4. The Authentication Proxy establishes a secure connection with the Duo Security service.
5. The Duo Security service completes the secondary authentication.
6. The Authentication Proxy receives a secondary authentication result from the Duo Security service.
7. The USG FLEX H grants the user access.

💡Test Topology

Below diagram showcases the test topology:

📝Platform and Software

The hardware and software used in this integration include:

Component	Product and Version
VPN Firewall	USG FLEX H (uOS 1.36) or USG FLEX (ZLD 5.40)
Microsoft AD Domain	Windows 2025 server Domain Controller & NPS (RADIUS server)
Duo Security	Duo Free edition (up to 10 users for free) Duo Authentication Proxy (v6.6.0, installed on-premise) Duo Mobile App
VPN Client	SecuExtender IPSec/SSL VPN Client

🛠️Configuration

To complete this integration, you must have:

• Duo account
• Duo Security Authentication Proxy
• RADIUS server (NPS)
• Active Directory Domain Services with user and group configured
• USG FLEX H (or USG FLEX) series firewall

Use the Duo account to log in to the Duo Service. The Duo Security Authentication Proxy acts as a bridge. It communicates with the RADIUS server, the Duo Security service in the cloud, the USG FLEX H firewall, and the Duo mobile app. The integration uses the RADIUS server for primary user authentication.

In our configuration, the Duo Security Authentication Proxy and the RADIUS server (Microsoft NPS) are located on the same subnet.

⚙️Configure Microsoft NPS Server

1. On the Windows server, run Server Manager.
2. Select Tools > Network Policy Server. The Network Policy Server console opens.
3. Select RADIUS Clients and Servers > RADIUS Clients.
4. Right-click RADIUS Clients, then select New. The Duo Proxy Properties dialog box opens.
5. In the Friendly Name text box, type a name.
6. In the Address (IP or DNS) text box, type the IP address of the Duo Authentication Proxy. In our example, we use 172.24.28.10.
7. In the Shared Secret and Confirm Shared Secret text boxes, type a shared secret key. This key is used to communicate with the Duo Authentication Proxy.

Remarks. You must use the same shared secret key when you configure Duo Authentication Proxy for Primary Authentication.

8. Click OK. The RADIUS Clients section shows the added details.

9. Select Polices > Connection Request Policies. Make sure the default policy is enabled.

10. Right-click Network Policies, then select New. The New Network Policy page opens.

11. In the Policy Name text box, type a name for this policy. In our example, we use IPSecRemoteAccess.

12. Click Next.

13. From the Specify Conditions section, click Add.

14. Select User Groups, then click Add.

15. Click Add Groups.

16. In the Enter the Object Name to Select text box, type the group name. The name of this group must be the same as the name of the Active Directory group your users belong to.

17. Click Next.

18. From the Configure Authentication Methods section, select the Unencrypted Authentication (PAP, SPAP) check box.

19. Add EAP Types and select Microsoft: Secured password (EAP-MSCHAP v2).

20. Click Next.

21. Click Next to proceed.

22. Click Finish.

⚙️Configure USG FLEX H

To configure the USG FLEX H firewall, you must:

• Configure RADIUS Authentication
• Configure Remote Access VPN

👉Configure RADIUS Authentication

To configure RADIUS authentication, log in to local GUI:

1. Go to User & Authentication > User Authentication.
2. Under RADIUS Server table. Click Add to setup RADIUS server.
3. Configure RADIUS Server using the following values:

Name: the server object name, e.g. DuoAuthProxyServer address: the IP address of Duo Authentication Proxy, e.g. 172.24.28.10Authentication port: the RADIUS service port of Duo Authentication Proxy, e.g. 1812Key: the RADIUS secretTimeout: recommend to set it to 15 seconds

👉Configure Remote Access VPN with IPSec/IKEv2

To configure Remote Access VPN, log in to local GUI:

1. Go to VPN > IPSec VPN > Remote Access VPN. Enable and select the WAN interface to service the VPN client’s inbound connection.
2. Scroll down to Authentication section. Change the Primary Server to the RADIUS server object (e.g. RADIUS / DuoAuthProxy).
3. Click Apply.

⚙️Configure Duo

To configure Duo, complete these steps:

1. Setup an Application
2. Configure the Duo Authentication Proxy
3. Configure the Duo Authentication Proxy to Work with the USG FLEX H
4. Start the Duo Authentication Proxy
5. Bind the User with the Duo Mobile Application

👉Set Up an Application

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel, then select Applications.
3. Click Add application.
4. In Application Catalog, search RADIUS and then click Add.
5. In Application settings, enter the application name. Configure User access to Enable for all users.
6. Scroll down to view the values for the Integration Key, Secret Key, and API Hostname. Copy these values because you will use them in the Configure the Duo Authentication Proxy section.
7. Click Save to finish.

⚙️Configure the Duo Authentication Proxy

The Duo Authentication Proxy is the system that validates the user password. In most cases, you must configure the Proxy to communicate with a RADIUS server.

Please refer to the installation guide of Duo Authentication Proxy in the Duo documentation.

To configure the Duo Authentication Proxy:

1. Open Duo Authentication Proxy Manager.
2. Configure the authproxy.cfg file. These are the sections of the file:
   1. [radius_client]: To configure the proxy, you must specify the values of these properties:

Required Properties	Description
host	The IP address of your Microsoft NPS server
secret	A shared secret between the Proxy and the RADIUS server, which was configured in your Microsoft NPS server.

For information about other optional properties, go to Duo Two-Factor Authentication with RADIUS and Primary Authentication in the Duo documentation.

👉Configure the Duo Authentication Proxy to Work with the USG FLEX H

To configure the Duo Authentication Proxy to work with the USG FLEX H, create a [radius_server_auto] section in the authproxy.cfg file.

This table provides a list of the properties that you must configure in the [radius_server_auto] section of the authproxy.cfg file:

Properties	Description
ikey	The Integration key, as referenced in the Set Up an Application section of this document.
skey	The Secret key, as referenced in the Set Up an Application section of this document.
api_host	The API hostname, as referenced in the Set Up an Application section of this document.
radius_ip_1	The IP address of the USG FLEX H firewall that is connected to the Proxy.
radius_secret_1	The RADIUS secret configured in the RADIUS server object of your USG FLEX H firewall.
client	Set this value to radius_client, so that the Proxy uses RADIUS for primary authentication. Make sure a [radius_client] section is configured, as described in the Configure the Duo Authentication Proxy section of this document.
port	The RADIUS service port of this Duo Authentication Proxy.

For information about optional properties, go to Duo Two-Factor Authentication with RADIUS and Primary Authentication in the Duo documentation.

This is an example of a complete configuration file:

👉Start the Duo Authentication Proxy

Upon finished configuration, remind to restart the Duo authentication proxy to take effect.

👉Bind the User with the Duo Mobile Application

After the process to sync users from Active Directory into Duo, bind the user with your mobile phone.

For detailed instructions about how to bind the user with your mobile phone, go to Activating Duo Mobile in the Duo documentation.

💡Test the Integration

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

1. Open Zyxel SecuExtender VPN client application.
2. Go to Configuration, and select “Get from Server”.
3. Enter the IP or FQDN of the VPN server (i.e. your USG FLEX H firewall), VPN username & password. After that the VPN profile will be downloaded to the client automatically.
4. The new profile will appear in the list. Double click on the new profile, then enter your VPN username & password.
5. Approve the DUO push authentication request on your mobile phone.
6. You are logged in successfully.

💭 Already using the USG FLEX H Series?

We invite you to explore this Duo Security integration for remote access VPN.
Let us know how it works in your environment and what additional authentication features you would like to see in future releases.