Tip: Two factor authentication managing SRX via web or cli
I was trying out different products for two factor authentication for managing our fleet of SRX devices. I was using using Radius Authentication but thats not true 2fa. I've trialled many different vendors and the one that came out tops was Duosecurity (www.duosecurity.com). Before I go any further, I was point out that I am no way affiliated to this company, in fact I've no spoken to them. However, they provide excellent 2fa features and their free offering is enough for my needs.
2) Download the app to your phone and enroll yourself as a user
3) Create an integration "Radius" on your account on duo security and download the radius proxy server application. I just went for the windows version and installed it on a Windows 2008 Virtual Machine.
192.168.1.100 is the Windows 2008 VM where I installed the radius proxy server (downloaded from duo security)
192.168.2.1 is the SRX device
5) After installing the radius proxy server, you need to edit the file named authproxy.cfg
[main] client=ad_client server=radius_server_auto
[ad_client] host=192.168.1.200 <- Active Directory service_account_username=(AD Account Username - create an ad account to be used for this service) service_account_password=(AD password of the new account) search_dn=OU=Users,OU=(Your domain OU) UK,DC=(Your domain),DC=co,DC=uk security_group_dn=CN=IT Network Config,OU=Global,OU=Security,OU=Groups,OU=(Your domain OU),DC=(Your Domain),DC=co,DC=uk
(Note the above security group is one i setup to only allow those who are members of the IT Network Config security group to be able to access this logon service. Your LDAP settings im sure will be different)
[radius_server_auto] ikey=(You will be given this key from duo security) skey=(You will be given this key from duo security) api_host=(You will be given this hostname from duo security) failmode=safe radius_ip_1=192.168.3.1 <-- SRX device 1 radius_secret_1=(Your shared secret) radius_ip_2=192.168.4.1 <-- SRX device 2 radius_secret_2=(Your shared secret)
etc... etc.. (add on as many devices as you want)
6) On the radius proxy server machine, open up a command prompt and type net start DuoAuthProxy
7) Now try loggin into one of your SRX devices (doesnt have to be an SRX device, any device where you can set radius settings). After entering your AD credentials, nothing will happen on screen, but your smartphone will notify you whether to approve or deny access (2nd factor). Click on approve and you will be logged into your device.
There are alot more settings and features but the above will get you started. With the free version, you can use this for an unlimited amount of devices, use it for RDP, for remote VPN users etc. The only restriction with the free version is you can only have up to 10 users. But for me, I will never have more than 10 people permitted to access network device management so its perfect solution for FREE 🙂
Hopefully this will be of some use to others as much as it has been for me.