OpenVPN with active directory authentication and Duo Security

bond_it

Hi All,

I was able to setup OpenVPN authentication with active directory and it works great.
I've looked for guides on how to configure multi-factor authenticator so users will get a phone call or push notification when they are trying to authenticate with OpenVPN but so far no luck.
I've setup Duo proxy server on a windows server 2012r2 server, created the Radius client and generated a key and entered all the details in the Duo config files, restarted the Duo service, but i am still not able to get the prompt.
It is related to the fact that pfsense is not able to authenticate with the radius server. My questions is: is there anyway to use AD and Duo with OpenVPN or does it have to go via Radius?
So far i am not able to authenticate radius with PFsense but AD works like a charm.

Cyber-Wizard

I set up Duo, OpenVPN/pfSense, and AD for a client recently. It's a little bit fiddly but it works quite well when it's done.

Duo wants to be the AD client that authenticates on your behalf so it makes requests against your AD environment using the LDAP lookup account that you configure in your Duo config file.

When the user logs in, pfSense make an auth request to your Duo proxy server via RADIUS
-the Duo Proxy authenticates the users creds against AD
-the Duo Proxy then sends out the push notification to Duo cloud services if the users AD credentials check out.
-once the user confirms the two-factor notification the proxy server then tells the OpenVPN server that all is good and the connection process starts.

bond_it

Thank you for the reply.
Below is my current setup that i can't seem to make it work:

1. External duo server (Linux CentOS 7) installed with Duo proxy server
2. Below are 2 config options that i tried in the Duo config file:

config option 1:

[radius_client]
host=x.x.x.x > this is the domain controller ip
secret=xxxxxxxx > secret that is configured in the above domain controller in network policy server: Radius clients

[radius_server_auto]
ikey=xxxxxxxxx > Duo integration key
skey=xxxxxxxx > Duo secret key
api_host=api-xxxxxx.duosecurity.com > Duo api
radius_ip_1=x.x.x.x > PFsense ip
radius_secret_1=xxxxxxx > same key as the key in radius_client secret field
failmode=safe
client=radius_client
port=1812

===========================================================================================

config option 2:

[ad_client]
host=x.x.x.x > this is the domain controller ip
service_account_username=username > a username with full admin rights
service_account_password=password
search_dn=DC=x,DC=x

[radius_server_auto]
ikey=xxxxxxxxx > Duo integration key
skey=xxxxxxxx > Duo secret key
api_host=api-xxxxxx.duosecurity.com > Duo api
radius_ip_1=x.x.x.x > PFsense ip
radius_secret_1=xxxxxxx > same key as the key in radius_client secret field
failmode=safe
client=radius_client
port=1812

===========================================================================================

3. The radius server configured in PFsense is the Duo proxy server (is this wrong? when the domain controller is configured its authenticating with no issues)

4. The Radius client configured in windows server is Duo proxy server (is this wrong? i tried pfsense as well and when pfsense is configured its authenticating with no issues)

I used the below links to assist with configuration:

https://duo.com/docs/radius
https://duo.com/docs/ldap
https://www.reddit.com/r/PFSENSE/comments/4y81qi/openvpn_and_duo_security_how_to/

I am able to authenticate PFsense radius with AD and it works and i can even login with OpenVPN using this method. The only issues seems that requests are not reaching the Duo server. Firewall is turned off on Duo server and domain controller and both servers are in the same subnet.

Please let me know if you need additional details

bond_it

This is resolved.
Not only i am able to authenticate with OpenVPN, radius and active directory i am now also able to have multi factor authentication on PFsense web login page, ssh access, our switches and wireless controller.

Pretty nice :)

jamessmith

On my side, I have the same setup as you explain but I use RCDevs OpenOTP (MFA authentication server) instead of DUO security products. RCDevs provides a custom OpenVPN package who can be installed and configured very quickly. Active Directory and OpenOTP works very well together and are very easy to setup.
I worked with DUO 2 years ago, but pricing for enterprise company are more interesting with RCDevs products and support/dev teams are great !! I asked for a special feature and they added it in 1 day !!! And for small company the product is free up to 40 users. Wonderfull product and team. I advise you OpenOTP and RCdevs company ...

James