Cisco DUO for 2FA

VCIT · May 2022

What is the roadmap for this? I would love to see the email and SMS 2FA replaced or have DUO added. There are so many firewalls that use DUO. Can we please implement this. I have over 60 firewalls and deploying more. I would really like this feature. I would even like to use DUO to log onto the firewall would be great.

The current 2fa with the FLEX with firewall reditection and 2fa approval and the EMAIL\SMS I have done all of that. My users do not like it at all. I am having a hell of a time getting them rolled over. Having a simple option to just enable DUO would be great.

Here is who supports DUO for VPN: I would love to see ZYXEL on the list.

Appsian Security Platform

Array SSL VPN

Barracuda SSL VPN

Check Point VPN

Cisco ASA

Cisco ASA SSL VPN

Cisco RADIUS VPN

Citrix Access Gateway

Citrix Gateway (NetScaler)

F5 FirePass SSL VPN

Fortinet FortiGate SSL VPN

Juniper SSL VPN

Meraki

Meraki RADIUS VPN

OpenVPN

OpenVPN Access Server

Palo Alto SSL VPN

SonicWALL SRA SSL VPN

Thanks.

Mario · May 2022

@VCIT

i don't know DUO, but i have already set up several mfa solutions via radius (okta, authpoint).
which protocols are used to set up duo?

zyman2008 · May 2022

VCIT,
Like Mario mention. Zyxel firewall support RADIUS 2FA with many MFA solution.
I did integrated ZyWALL with Duo via RADIUS proxy for SSL VPN/ L2TPoverIPSec VPN in one of my customer. And I just re-test hours ago. It's working as usual.

There no magic to use dozens ago technology. Most of the vendor/product you list is doing the same way.

It's very simple and just follow Duo document to install authentication proxy and configure it.
https://duo.com/docs/radius
For the login password add a comma (",") to the end of your password and append a Duo second factor code.
For example, if the 1st factor password is "mypassword" and Duo 2nd factor code is "123456"
Then type-in the password: "mypassword,123456"

LPAPP · July 16

Hi zyman2008,

Can you show me a small example of what you have to enter in the authproxy.cfg.

I don't know what to enter.

Thanks

https://community.zyxel.com/en/discussion/comment/40214#Comment_40214

zyman2008 · July 17

Hi @LPAPP ,

Topology: ZyWALL → Duo Proxy → RADIUS Server

Here the example.

[radius_client]
host=<IP of your RADIUS server>
secret=xxxxxxxx
port=<RADIUS Auth. port of your RADIUS server. Default is 1812.>
pass_through_all=true

[radius_server_auto]
ikey=********************
skey=****************************************
api_host=api-********.duosecurity.com
radius_ip_1=<ZyWALL IP Address>
radius_secret_1=<secret for ZyWALL>
failmode=safe
client=radius_client
port=<RADIUS Auth. port of Duo Proxy. Default is 1812.>