SRX Services Gateway
Highlighted
SRX Services Gateway

Tip: Two factor authentication managing SRX via web or cli

‎12-27-2013 04:38 PM

HI Guys,

 

I was trying out different products for two factor authentication for managing our fleet of SRX devices. I was using using Radius Authentication but thats not true 2fa. I've trialled many different vendors and the one that came out tops was Duosecurity (www.duosecurity.com). Before I go any further, I was point out that I am no way affiliated to this company, in fact I've no spoken to them. However, they provide excellent 2fa features and their free offering is enough for my needs.

 

To get it working with the SRX devices:

 

1) Setup a free account on their website www.duosecurity.com

2) Download the app to your phone and enroll yourself as a user

3) Create an integration "Radius" on your account on duo security and download the radius proxy server application. I just went for the windows version and installed it on a Windows 2008 Virtual Machine.

4) Configure the SRX radius:

 

radius-server {
192.168.1.100 {
port 1812;
secret "yoursharedsecret";
timeout 15;
retry 2;
source-address 192.168.2.1;
}
}

 

192.168.1.100 is the Windows 2008 VM where I installed the radius proxy server (downloaded from duo security)

192.168.2.1 is the SRX device

 

5) After installing the radius proxy server, you need to edit the file named authproxy.cfg

 

[main]
client=ad_client
server=radius_server_auto

 

[ad_client]
host=192.168.1.200   <- Active Directory
service_account_username=(AD Account Username - create an ad account to be used for this service)
service_account_password=(AD password of the new account)
search_dn=OU=Users,OU=(Your domain OU) UK,DC=(Your domain),DC=co,DC=uk
security_group_dn=CN=IT Network Config,OU=Global,OU=Security,OU=Groups,OU=(Your domain OU),DC=(Your Domain),DC=co,DC=uk

 

(Note the above security group is one i setup to only allow those who are members of the IT Network Config security group to be able to access this logon service. Your LDAP settings im sure will be different)

 

[radius_server_auto]
ikey=(You will be given this key from duo security) 
skey=(You will be given this key from duo security) 
api_host=(You will be given this hostname from duo security) 
failmode=safe
radius_ip_1=192.168.3.1    <-- SRX device 1
radius_secret_1=(Your shared secret)
radius_ip_2=192.168.4.1  <-- SRX device 2
radius_secret_2=(Your shared secret)

 

etc... etc.. (add on as many devices as you want)

 

6) On the radius proxy server machine, open up a command prompt and type net start DuoAuthProxy

 

7) Now try loggin into one of your SRX devices (doesnt have to be an SRX device, any device where you can set radius settings). After entering your AD credentials, nothing will happen on screen, but your smartphone will notify you whether to approve or deny access (2nd factor). Click on approve and you will be logged into your device.

 

There are alot more settings and features but the above will get you started. With the free version, you can use this for an unlimited amount of devices, use it for RDP, for remote VPN users etc. The only restriction with the free version is you can only have up to 10 users. But for me, I will never have more than 10 people permitted to access network device management so its perfect solution for FREE Smiley Happy

 

Hopefully this will be of some use to others as much as it has been for me.

2 REPLIES 2
SRX Services Gateway

Re: Tip: Two factor authentication managing SRX via web or cli

‎01-17-2019 10:23 PM

Hello,

Have you tried it with RSA Multifactor Authentication

SRX Services Gateway

Re: Tip: Two factor authentication managing SRX via web or cli

‎07-17-2019 03:51 PM

Hello,

 

Is that all the commands you did for DUO? Where did you upload the zip file that DUO asks us to upload on SRX? 

All online tutorials are via J-Web and that's garbage; page hangs and I can't find the tabs online tutorials are pointing towards.

 

Can you please share DUO part of configs that needs to be on SRX for Dynamic VPN ?

Thank you