Cisco DUO for 2FA

VCIT
VCIT Posts: 9  Freshman Member
First Comment Fifth Anniversary
What is the roadmap for this?  I would love to see the email and SMS 2FA replaced or have DUO added. There are so many firewalls that use DUO.  Can we please implement this.  I have over 60 firewalls and deploying more. I would really like this feature.  I would even like to use DUO to log onto the firewall would be great.  

The current 2fa with the FLEX with firewall reditection and 2fa approval and the EMAIL\SMS I have done all of that. My users do not like it at all.  I am having a hell of a time getting them rolled over.  Having a simple option to just enable DUO would be great.  

Here is who supports DUO for VPN: I would love to see ZYXEL on the list.

Appsian Security Platform

Array SSL VPN

Barracuda SSL VPN

Check Point VPN

Cisco ASA

Cisco ASA SSL VPN

Cisco RADIUS VPN

Citrix Access Gateway

Citrix Gateway (NetScaler)

F5 FirePass SSL VPN

Fortinet FortiGate SSL VPN

Juniper SSL VPN

Meraki

Meraki RADIUS VPN

OpenVPN

OpenVPN Access Server

Palo Alto SSL VPN

SonicWALL SRA SSL VPN


Thanks.

All Replies

  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    i don't know DUO, but i have already set up several mfa solutions via radius (okta, authpoint).
    which protocols are used to set up duo?

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited May 2022
    VCIT,
    Like Mario mention. Zyxel firewall support RADIUS 2FA with many MFA solution.
    I did integrated ZyWALL with Duo via RADIUS proxy for SSL VPN/ L2TPoverIPSec VPN in one of my customer. And I just re-test hours ago. It's working as usual.

    There no magic to use dozens ago technology. Most of the vendor/product you list is doing the same way. 

    It's very simple and just follow Duo document to install authentication proxy and configure it.
    https://duo.com/docs/radius
    For the login password add a comma (",") to the end of your password and append a Duo second factor code.
    For example, if the 1st factor password is "mypassword" and Duo 2nd factor code is "123456"
    Then type-in the password: "mypassword,123456"

  • LPAPP
    LPAPP Posts: 1
    First Comment Friend Collector

    Hi zyman2008,

    Can you show me a small example of what you have to enter in the authproxy.cfg.

    I don't know what to enter.

    Thanks

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited July 17

    Hi @LPAPP ,

    Topology: ZyWALL → Duo Proxy → RADIUS Server

    Here the example.

    [radius_client]
    host=<IP of your RADIUS server>
    secret=xxxxxxxx
    port=<RADIUS Auth. port of your RADIUS server. Default is 1812.>
    pass_through_all=true

    [radius_server_auto]
    ikey=********************
    skey=****************************************
    api_host=api-********.duosecurity.com
    radius_ip_1=<ZyWALL IP Address>
    radius_secret_1=<secret for ZyWALL>
    failmode=safe
    client=radius_client
    port=<RADIUS Auth. port of Duo Proxy. Default is 1812.>

Security Highlight