VPN with DUO MFA and Active Directory Auth
Estimated reading time: 3 minutes
Create New Appication DUO Meraki RADIUS VPN
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate Meraki RADIUS VPN in the applications list.
Click Protect to get your integration key, secret key, and API hostname. You’ll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
switch Username normalization to Simple mode
and press save button
Install Duo Radius Proxy Service
To integrate Duo with your Meraki MX, you will need to install a local Duo proxy service on a machine within your network. This Duo proxy server will receive incoming RADIUS requests from your Meraki MX, contact your existing local LDAP/AD or RADIUS server to perform primary authentication, and then contact Duo’s cloud service for secondary authentication.
Locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports these operating systems:
- Windows Server 2012 or later (Server 2016+ recommended)
- CentOS 7 or later (CentOS 8+ recommended)
- Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
- Ubuntu 16.04 or later (Ubuntu 18.04+ recommended)
- Debian 7 or later (Debian 9+ recommended)
On our example we will install on Windows Domain Controller.
The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).
- Create Admin account on DC AD with Admin Enterprise group, example: merakiuser.
- Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe. Note that the actual filename will reflect the version e.g. duoauthproxy-5.6.1.exe.
- When installing, you can choose you want to install the Proxy Manager. The Proxy Manager is a Windows utility that helps you edit the Duo Authentication Proxy configuration, determine the proxy’s status, and start or stop the proxy service. Learn more about using the Proxy Manager. Installing the Proxy Manager adds about 100 MB to the installed size.
- After installation, run ProxyManager for next configuration step.
- edit authproxy.cfg like example bellow, on left side ProxyManaged windows.
- Press Validate, if or then press Save button.
- For apply configuration also press Restart services.
[ad_client] host=127.0.0.1 #Domain Controller Address service_account_username=merakiuser #Domain Admin user service_account_password=********* #Domain Admin password search_dn=DC=consto,DC=local #Search DN patch ; Security Group Managment Access to VPN security_group_dn=CN=VPNAccessOR,OU=Security Groups,OU=MyBusiness,DC=****,DC=*** [radius_server_auto] ikey=DIWW********* #Integration key from DUO Admin Aplication. see up that docs skey=brPMb*********** #Secret key from DUO Admin Aplication. see up that docs api_host=api-*******.duosecurity.com #API hostname from DUO Admin Aplication. see up that docss radius_ip_1=192.168.1.1 #IP adress Router Meraki MX, recived from auth query radius_secret_1=cisco #Radius secret, generate any secret key, will be used on MX VPN failmode=safe client=ad_client port=1815 #Bind port, will be used on MX VPN
Create VPN on Meraki MX
- Navigate to Security & SD-WAN then to Client VPN.
- Click the drop down for Authentication and select RADIUS as your option.
- Click Add a RADIUS server and fill out the form with the following information:
|Host||The hostname or IP address of your Duo Authentication Proxy|
|Port||1815 (or whichever port specified in your authproxy.cfg file)|
|Server||Secret Key Shared Secret used in Authentication Proxy configuration|
DUO Meraki Radius
DUO Authproxy reference