In this particular setup, you don't need to install a separate radius server, the Duo Authentication Proxy will facilitate as a Radius Server. You can check out the official document that explain more on this. duo.com/docs/radius
@@dracocybersecurity Great video. Follow up question related to the question from the OP, since we're currently using meraki cloud authentication, once I have the proxy authentication server setup on the AD server, I could then change the authentication in Meraki to RADIUS using the proxy server's address? Thanks
Yes you should be able to do that. Just make sure the necessary firewall ports are open and the routing are done properly. I presume that the AD is internal so you need to take note of those nuances.
@@dracocybersecurity Thanks for your reply Draco. Unfortunately after following your video to the teeth, as soon as I connect my vpn and asked for my sign in, it just spins then receiving an error that "the remote connection was terminated because the remote computer did not respond in a timely matter" I already set timeout from 60 to 120 secs. It seems that it's not hitting the radius server at all. Any ideas? Thanks again
sorry i am new to DUO and Meraki, i have understood your configuration but one thing I want to know is when you finally tested user for Client VPN how that push notification was sent to you? do we need to configure and link the AD user we are testing from under DUO portal so that notification is sent to us?
Check out this link. duo.com/docs/meraki-radius Duo they have a integration diagram that explain the flow much better than I do. What i have done is the older L2TP client. They now have the integration with AnyConnect. Which in my view is more secure. Of course L2TP is free with the system. AnyConnect I believe you need to pay for the license. Talk to your local Partner / Disti to get more support on the detail if you are interested in AnyConnect integration
Not sure what I did wrong, but I configured the DUO client to my RADIUS server. The connectivity tool in DUO says “There are no configuration problems” the MX device is configure successfully to the RADIUS server, however when I connect to the VPN I am able to successfully connect without 2FA? Any ideas where to look?
Hard to say but did you configure the Duo Authentication Proxy, to proxy the authentication? Seems that your vpn client is authenticating directly to the Radius instead of through the Duo Authentication proxy. The DAP configuration should be similar to how it is configure in this video, but do check what are the parameters that you need to change.
![ตีสิบเดย์ [FULL] | อาจารย์โอเล่ ญาณสัมผัส ผ่าดวงคนดัง ประเทศไทยจะเป็นยังไงหลังจากนี้!](http://i.ytimg.com/vi/gszT2O76fL4/mqdefault.jpg)
Great Video. It answered a few questions I had about this project.
Glad I could help!
Awesome Video... thank you.. one question though -- do we need to install RADIUS server in AD?
In this particular setup, you don't need to install a separate radius server, the Duo Authentication Proxy will facilitate as a Radius Server.
You can check out the official document that explain more on this. duo.com/docs/radius
@@dracocybersecurity Great video. Follow up question related to the question from the OP, since we're currently using meraki cloud authentication, once I have the proxy authentication server setup on the AD server, I could then change the authentication in Meraki to RADIUS using the proxy server's address? Thanks
Yes you should be able to do that. Just make sure the necessary firewall ports are open and the routing are done properly. I presume that the AD is internal so you need to take note of those nuances.
@@dracocybersecurity Thanks for your reply Draco. Unfortunately after following your video to the teeth, as soon as I connect my vpn and asked for my sign in, it just spins then receiving an error that "the remote connection was terminated because the remote computer did not respond in a timely matter" I already set timeout from 60 to 120 secs. It seems that it's not hitting the radius server at all. Any ideas? Thanks again
same problem here. everything tests fine but as soon as i hit connect on the vpn client, it gives the above error.@@graciesager
sorry i am new to DUO and Meraki, i have understood your configuration but one thing I want to know is when you finally tested user for Client VPN how that push notification was sent to you? do we need to configure and link the AD user we are testing from under DUO portal so that notification is sent to us?
Check out this link. duo.com/docs/meraki-radius Duo they have a integration diagram that explain the flow much better than I do. What i have done is the older L2TP client. They now have the integration with AnyConnect. Which in my view is more secure. Of course L2TP is free with the system. AnyConnect I believe you need to pay for the license. Talk to your local Partner / Disti to get more support on the detail if you are interested in AnyConnect integration
Are there any other options for MFA for meraki that you've used.
I have not done any other integration with other MFA. But you should be able to integrate with other MFA.
Not sure what I did wrong, but I configured the DUO client to my RADIUS server. The connectivity tool in DUO says “There are no configuration problems” the MX device is configure successfully to the RADIUS server, however when I connect to the VPN I am able to successfully connect without 2FA? Any ideas where to look?
Hard to say but did you configure the Duo Authentication Proxy, to proxy the authentication? Seems that your vpn client is authenticating directly to the Radius instead of through the Duo Authentication proxy. The DAP configuration should be similar to how it is configure in this video, but do check what are the parameters that you need to change.
Have you figured this out James? I am having the same problem. Thanks
can we have the vpn user use meraki cloud authentication (with local username pass created ) and then use the DUO? instead of AD credentials?
From what I understand currently Duo is not integrated with the cloud authentication. You would need a Radius/AD/LDAP.