Duo Authentication

The Aviatrix OpenVPN® solution provides Duo authentication integration. This document helps you set up Duo to connect with Aviatrix. For more information on how to configure OpenVPN®, check out this link.

You need to first have a Duo account setup. If you do not have one, please see https://www.duosecurity.com/product.

Getting Duo API Credentials

Important

This step requires admin privileges in Duo.

You must first add an application to Duo for Aviatrix before you can connect. If you already have already completed this step, these same steps will take you to the API credentials needed to connect Aviatrix with this application.

  1. Log in to the Duo Admin Panel.

  2. Navigate to Applications.

  3. Click Protect an Application.

  4. Search for “OpenVPN” in the application list.

  5. Click Protect this Application.

  6. The Integration key, Secret key and API hostname are displayed.

    Note

    You will need these values in Aviatrix to connect Aviatrix client to Duo.

    imageDuoAppDetails

  7. (optional) Update the Settings fields as required.

  8. (optional) Click Save Changes.

Note

You may need to adjust policies to allow this application to be visible to your users.

Connecting Aviatrix VPN with Duo

Note

You can set up Duo at both Aviatrix VPN Gateway launch time and after Aviatrix VPN Gateway is launched. We highly recommend you configure Duo after the VPN Gateway is launched.

  1. Follow the steps to create a new Aviatrix Gateway.

  2. After the gateway is launched, in your Aviatrix Controller, go to OpenVPN® > Edit Config > Modify Authentication. Select Duo at the dropdown menu.

  3. Populate Integration Key, Secret Key, and API Hostname from the values provided by Duo application details.

  4. Update the Push Mode.

  5. Click Modify to have the action take effect.

    imageAviatrixDuo

Validating

You will need one Aviatrix VPN user to test. Validate that a VPN user is able to connect after receiving the push notification (or after entering a valid Passcode).

Using Push Mode of auto

  1. Connect your VPN client to the VPN Gateway.

    Note

    You should receive a push notification from Duo.

  2. Open the Duo Mobile app and select Confirm for the pending request.

    Note

    Once you confirm the request, the VPN client should proceed to authenticate the user.

  3. Verify you are connected and can access resources in the cloud.

Using Push Mode of token

  1. Connect your VPN client to the VPN Gateway.

    Note

    You should receive a prompt to authenticate. If you do not receive a prompt, make sure auth-user-pass option is in the .ovpn configuration file.

  2. Open the Duo Mobile app and generate a new passcode.

  3. In the VPN user/password prompt, enter any value for the username field and enter the passcode from Duo Mobile app for the password.

  4. Verify you are connected and can access resources in the cloud.

  5. Note that you need to generate a new passcode for each connection.

Currently, selective authentication with Duo is broken if used when combined with LDAP. This bug is expected to be fixed in a later release.

OpenVPN is a registered trademark of OpenVPN Inc.