Summary

  Subject:

Duo Security (Multi-Factor Authentication)

   Updated:

2023-01-08

   Author:

Tim Hammond ([email protected])

Derek Pasnick ([email protected])

Leland Petitjean ([email protected])

   Operating Systems:

Rocky 8

   Background:

This guide was written to setup a Duo server to authenticate VPN users in the following steps: VPN > Duo > Active Directoy.

  

Table of Contents

VM Config

VM Specifications:

  • CPU: 1vCPU (2 cores)
  • RAM: 2 GB
  • HD: 100 GB

Change the hostname:

sudo hostnamectl set-hostname duo01.domain.local

Update the IP:

sudo sed -i 's/192.168.30.199/192.168.30.117/g' /etc/sysconfig/network-scripts/ifcfg-ens192 sudo cat /etc/sysconfig/network-scripts/ifcfg-ens192

Prep work - Duo Admin Panel - RADIUS App

Follow these steps to setup Duo:

  1. Log into the Duo Admin Panel: https://admin.duosecurity.com/
  2. Go to Applications.
  3. Click the Protect an Application button.
  4. Search for RADIUS and choose Protect this Application.

Use the following name for the application:

opnSense_-_OpenVPN_-_duo01

For username normilzation, select:

simple

For Voice greeting, use:

Welcome to Hammond Enterprise! This is a restricted system, accessible only to authorized users. If you are not authorized to access this system, or if you are not sure, TERMINATE ACCESS NOW!!! By continuing, you hereby acknowledge that you are an authorized user and that you will adhere to the change management and usage guidelines for this device. All login attempts will be logged and violators of this policy will be prosecuted, if applicable. YOU HAVE BEEN WARNED!

Install

Install Pre-Req

"selinux-policy-devel" is not in the offical doc. The ./install will have SELinux errors if it is not though. Referance:
https://help.duo.com/s/article/6329?language=en_US

sudo dnf -y install gcc make libffi-devel perl zlib-devel diffutils selinux-policy-devel

Download the bits

sudo wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz

Run the setup

tar xzf duoauthproxy-latest-src.tgz cd ~/duoauthproxy-5* sudo make cd ~/duoauthproxy-5*/duoauthproxy-build sudo ./install

In what directory do you wish to install the Duo Authentication Proxy? [/opt/duoauthproxy]

<Enter>

Enter the name of a user account under which the Authentication Proxy should be run. We recommend a non-privileged and locked down account. Or you can press <Enter> and our default locked down user will be created for you: [duo_authproxy_svc]

<Enter>

Enter the name of a group under which the Authentication Proxy logs will be readable. Or press <Enter> and a default group will be created for you: [duo_authproxy_grp]

<Enter>

Create an initialization script to run the proxy upon startup? [Yes/no]

<Yes>

SELinux is turned on by default. The pre-req installs include the "selinux-policy-devel" package that will fulfill the SELinux requirements for the Duo "./install" script. The following is the expected output from the scripts.

Attempting to install optional SELinux module Successfully installed SELinux module Installation completed.

Cert Install

By this point, the duo01 VM should have already been joined to the Windows domain.

If you have intermediate CA in your certificate issuer's chain, export all the certs (such as the root CA and the intermediate CA) in the certification path as CRT files and then combine them into one file using a text editor.

Pay attention to the Windows vs Unix file type format.

In order to use LDAPS with Duo, the cert chain needs to be copied into a specific path.

Source: certificates\ca_chain_-_linux_-_crt\chain-both.crt
Destination: /tmp/chain-both.crt

Rename the file.

sudo mv /tmp/chain-both.crt /tmp/domain_chain.pem

Set the permissions.

sudo chmod 644 /tmp/domain_chain.pem sudo chown root:root /tmp/domain_chain.pem

Move the file to its proper home.

sudo mv /tmp/domain_chain.pem /opt/duoauthproxy/conf/domain_chain.pem

Config Notes - Firewall

Add local firewall rules. You can see the list of ports included in radius here:

sudo firewall-cmd --permanent --add-service=radius sudo firewall-cmd --reload sudo firewall-cmd --list-all

Network firewall rules.

The Duo Authentication Proxy sends outgoing traffic to the Duo cloud service (API endpoint) from a random source port (e.g. 52157) via the firewall's outbound TCP port 443. This random source port is referred to as an ephemeral or dynamic port.

The Duo cloud service then responds from its own TCP port 443 back to the firewall. If the firewall is stateful, it will know that the Duo Authentication Proxy server is expecting a response back on that same ephemeral port and will forward the traffic accordingly. After the connection is terminated, the ephemeral port is freed up, and the next connection might use a different ephemeral port.

Usage of an ephemeral port is standard behavior for TCP connections and is not unique to the Duo Authentication Proxy. There is no need to open any specific inbound port for the Duo Authentication Proxy to receive responses.

Configure DUO

Make a backup of the current config file (if it exists).

sudo cp /opt/duoauthproxy/conf/authproxy.cfg /opt/duoauthproxy/conf/authproxy.cfg.bak

Clear the contents of the existing config file.

sudo su -c "cat /dev/null > /opt/duoauthproxy/conf/authproxy.cfg"

The following items cab be obtained from the details page for the app on Duo Admin Panel.

  • ikey - Duo integration key
  • skey - Duo secret key
  • api_host - Duo API hostname
sudo tee -a /opt/duoauthproxy/conf/authproxy.cfg >/dev/null <<EOF ;**************************************************************************************** ; Complete documentation about the Duo Auth Proxy can be found here: ; https://duo.com/docs/authproxy_reference ; ; NOTE: After any changes are made to this file the Duo Authentication Proxy ; must be restarted for those changes to take effect. ; ; MAIN: Include this section to specify global configuration options. ; Reference: https://duo.com/docs/authproxy_reference#main-section ;**************************************************************************************** [main] ; The IP address of the interface which Duo Authentication Proxy binds to on startup. ; This would be the IP address of the Duo Auth Proxy. interface=192.168.30.117 ;**************************************************************************************** ; CLIENTS: Include one or more of the following configuration sections. ; To configure more than one client configuration of the same type, append a ; number to the section name (e.g. [ad_client2]) ;**************************************************************************************** [ad_client] ; Provide the IP address of the AD servers. ; If more than one is needed, follow the host_X convention. host=ad01.domain.local host_2=ad02.domain.local ; This is an AD service account used to querey user accounts. ; Domain user group membership is sufficent. service_account_username=svc-Duo ; Provide the password for the AD service account. service_account_password=keePass ; The LDAP distinguished name (DN) of an Active Directory container or organizational ; unit (OU) containing all of the users you wish to permit to log in. search_dn=DC=domain,DC=com ; To further restrict access, specify the LDAP DN of a security group that contains the ; users who should be able to log in as direct group members. Nested groups are not ; supported. Users who are not direct members of the specified group will not pass ; primary authentication. security_group_dn=CN=ac-VPN,OU=Access Control,OU=Domain Groups,DC=domain,DC=com ; This option can be used to enable SSL/TLS communication with your Active Directory ; server. "ldaps" will wrap the entire LDAP connection in SSL. Unless you specify a ; custom port, this will cause the proxy to contact your Active Directory server on port ; 636 rather than 389. "ssl_ca_certs_file" must be specified if "ldaps" is used. transport=ldaps ; Path to a file containing the CA certificate(s) to be used to validate SSL/TLS ; connections to your Active Directory server. If you enable SSL/TLS connections to your ; Active Directory or LDAP server, you should specify a value for this option. ; ; In order to secure LDAP connections to your directory server using LDAPS or STARTTLS ; protocols, you'll need the PEM formatted certificate of the certificate authority (CA) ; that issued your AD domain controller's or LDAP directory server's SSL certificate. ; ; To obtain the PEM formatted version of an AD domain controller certificate's issuing CA ; certificate, view the "Certification Path" tab of the DC's certificate properties and ; double-click the issuing certificate to view it. ; ; Export the issuing CA certificate as a Base-64 encoded X.509 (CER) format. ; ; If you have intermediate CAs in your certificate issuer chain, export all the certs ; (such as the root CA and the intermediate CA) in the certification path as CER files ; and then combine them into one file using a text editor. ; ; If you use a self-signed certificate to secure LDAPS communications to your directory ; server, the certificate's key usage should include "Certificate Signing". ssl_ca_certs_file=domain_chain.pem ; If set to "true", then when establishing an SSL/TLS connection to the directory server, ; the proxy will ensure that the common name in the server-provided certificate matches ; the value specified in the host option. ; ; If your directory server uses a certificate with an mismatched common name, or you ; specified the host as an IP address, set this option to "false". However, this will ; somewhat reduce the security guarantees otherwise provided by the use of TLS/SSL. ssl_verify_hostname=true ;**************************************************************************************** ; SERVERS: Include one or more of the following configuration sections. ; To configure more than one server configuration of the same type, append a ; number to the section name (e.g. radius_server_auto1, radius_server_auto2) ;**************************************************************************************** [radius_server_auto] ; The Duo integration key is located in the Duo Admin Panel. ikey= ; The Duo secret key is located in the Duo Admin Panel. skey= ; The Duo API hostname is located in the Duo Admin Panel. api_host= ; This is the opnSense server IP radius_ip_1=192.168.10.1 ; This must be the same pwd as opnSense OpenVPN server config. radius_secret_1=keePass ; Provide the mechanism that the Authentication Proxy should use to perform auth. client=ad_client ; This is the port to listen from the opnSense. port=1812 ; Either safe or secure: ; ; safe - In the event that Duo's service cannot be contacted, users' authentication ; attempts will be permitted if primary authentication succeeds. ; ; secure - In the event that Duo's service cannot be contacted, all users' authentication ; attempts will be rejected. failmode=secure EOF

Config Notes - Service

For Linux-based Authentication Proxy servers, say yes to the prompt during installation that asks if you want an init script created. Then, when you start the Auth Proxy, use a command such as sudo service duoauthproxy start (note that the command for the init script may differ depending on what system you are on).

The previous script will set the "duoauthproxy" service to enabled so that it will run at startup. It seems that the documented and preferred method is as follows. These commands are nice because they actually test and display the debug of the config file.

sudo /opt/duoauthproxy/bin/authproxyctl start sudo /opt/duoauthproxy/bin/authproxyctl status sudo /opt/duoauthproxy/bin/authproxyctl restart

Final Touches

Clean various goodies and bash histories.

unset HISTFILE sudo rm -f /root/.bash_history sudo rm -f /home/localadmin/.bash_history sudo rm -f /home/se.tbh/.bash_history history -c

Probably best to reboot, you gopher you.

sudo reboot

Troubleshooting

To watch the login process, run:

sudo tail -f /opt/duoauthproxy/log/authproxy.log

References

How to connect pfSense OpenVPN to Duo.

This guide will walk you through the cert setup, LDAP, and VPN Client.

pfSense OpenVPN walkthrough

Duo Setup walk through

Duo Auth Proxy Installation and Config Best Practices

Duo application setup - RADIUS