I own MSP we have 90% of our customers on TZ and 10% NSA
Me too.
Netextender was first, O365 and Netsuite next.
Hey Pat! Question, I am setting this up for a client. We are already using LDAP/AD for SSL VPN and now want to shift to Duo. I have Radius installed and am going through the Duo proxy config. So you point the [radius_server_auto] to the Sonicwall and not Radius server itself? If that is the case, did you have to configure the [radius_client] section at all? Trying to figure out how the setup all flows together. Thanks!
Finally figured it out! Under Configure Radius > General Settings > Force MSCHAPv2 mode was checked (by default). Unchecked that , BOOM!
For this case, we’re pointing directly to the DC, so can’t comment on the radius piece. ad_client points to DC, and radius_server_auto points to the Sonicwall. The client vs server is a bit confusing in that it feels backwards.
From Duo’s docs -
Use [radius_client] when the Authentication Proxy contacts another RADIUS server (like Microsoft NPS or Cisco ACS) to perform primary authentication.
So radius_client points to the radius server.
Good for you. It sounded like a RADIUS server issue.
Ahh, ok I see. I think this same setup will work for me as well. We are currently using LDAP/AD for SSL VPN authentication. Seems like the Radius proxy just handles the communication between AD, the Sonicwall and Duo Cloud. You did mention you had put in some details for the [cloud] section. I was looking through that primary KB article and I didn’t see where it said to plug in values for that. Might be missing something obvious though. Curious what you may have stuck in for that. Thanks again!
This setting was on the firewall
Exactly!
Cloud is the info you get from Duo. Should only need one cloud section per proxy, no matter how many servers/clients it talks to.