Take note of the three credentials at the top Integration Key, Secret Key and API Hostname. I also like to change the username normalisation to Simple as it will accept any of the given formats, which is fine by me. Give it a meaningful name as multiple can be used across multiple sites - I’ve named mine MGIO-Lab-RADIUS-Proxy I find it helps to prepend a site name or domain to the start to make it more obvious in future. We’ll start by creating an application, navigate to the Protect an Application page, the number of apps is pretty overwhelming, but we are looking for RADIUS and then hit Protect this Application: You’ll need to sign up ↗ and add your mobile verification method. The beautiful part is it is completely application agnostic, the only requirement from the app is the ability to query a RADIUS or LDAP server. Helpfully, Duo have an auth proxy ↗ that will sit between the firewall and our actual auth source, check the credential against the primary auth source, then send a push to your mobile device before sending the auth approved message back to the firewall - essentially giving you two factor for any device that can use LDAP/RADIUS as a backend auth mechanism, like below: However, there are a lot of services that don’t offer native integration, Fortigate as a case-in-point are a vendor that only allow their own tokens to be used - however you can have your VPN and firewall admin users auth against LDAP/RADIUS. They have an insane number of application integrations ↗ possible natively. I have been using Duo ↗ recently for a lot of my 2FA accounts, mainly because I really like their “push” 2FA service, no need to type in any timed code, just tap approve on your phone/watch/whatever.
(Who wants a hardware token or a paid for token nowadays? no thanks). However, I haven’t protected my publicly accessible firewall with 2FA - mainly because there is no real built in method for using industry standard apps with it. I protect any account I have with two factor auth, at least the ones that support it (this site for example has 2FA for admin logon), it’s not that inconvenient (especially not with Authy/Duo) and greatly increases security of your critical accounts.
0 kommentar(er)
