Can anyone confirm if they have this setup working? The only setup directions I’ve seen are for Sonicwall SMA and have heard mixed things on whether it is possible to get SSL VPN with a TZ/NSA firewall and Duo. Thanks!
Hint, use NPS/RADIUS.
Duo doesn’t have a cloud LDAP/Radius server like Onelogin so we have to use the Proxy service to add Duo to our on prem Radius
Duo has a RADIUS app that you install on one of your servers. I don’t remember what it’s called, though.
With this setup you lose a lot of juicy details, like the device using the SSL VPN, accessing IP address, etc.
Also, buyer beware with the SonicWall mobile app, Duo, and iOS on the same device. When you attempt to log in, you get the Duo push notification just fine, but when you go back to the SonicWall app to complete the connection, it fails every time. SonicWall support listed this as a known issue that they were “working” with Apple on.
It works but you do have to run the Duo proxy service against AD/Radius. Running it on TZ and NSAs. Works on SSLVPN and IPSEC using global vpn client.
I just configure this exact setup for one of my clients.
Works well with GVC and SSL VPN.
Rather simple to setup, protect with the radius application. I configured the proxy auth file with the radius/duo configure and the configure the SonicWall Radius configuration User —> Settings
Does anyone have the actual steps for this. I don’t have an internal Radius server I am trying to set this up using JumpCloud provided Radius service and DUO as the MFA provider.
https://help.duo.com/s/article/2137?language=en_US this works, however it doesn’t allow users to change their password once their password has expired, it will prompt for password change, but will not allow it
I know this is an old post, but am researching DUO and Sonicwall NSA. Do your SSL VPN users on NSA get the DUO Push or do they have to enter a passcode? We seem to be stuck with only the passcode option.
Do you have it working with Netextender?
They get the Duo push. As much as I dislike it. . . I didn’t think entering a passcode in this situation was doable. I don’t trust my users to push stuff. They get enough alerts, they’ll okay it just to make it go away. For example, all my O365 users are stuck entering the code. Don’t allow a push from authenticator.
I have this working for me.
My only gripe is when you connect to the VPN the Netextender client say verifying user at this point you need to check your mobile device for the Duo push.
It would be nice if the Radius server on the firewall actually prompted the user to check their device.
I’m with you on the risks of using Push. Still curious on what we are missing. Do your SSL VPN users visit the “Virtual Office” to login or a VPN client like Sonicwall Mobile?
Mine just says “incorrect username or password” right away in Netextender. Using the test function on the firewall with the RADIUS config works fine. Very frustrating.
We’re using NetExtender and the Global VPN Client.
Go to radius server and test with the password authentication. You can also check if the radius server is reachable.
You may not have something configured properly.
check your duo congfig file for typos, such as “service_account_password” instead of having “service_account_password_protected” - I made this mistake
How did you get it to work with Netextender? Running the Test in the radius configuration on the firewall works, but when I implement I just get incorrect username or password in Netextender. Do I need to add the Iframe section in the Proxy Server settings? I just don’t know what I would put for type, Duo documentation only lists sonicwall_sra as a type for Sonicwall.
Are you on NSA or TZ?
The only sections I have setup in the duo config is [ad_client] point to DCs, [radius_server_auto] pointing to the Sonicwall and [cloud] pointing to Duo.
Do you have the proxy working for anything else or are you setting it up just for netextender?