Aviatrix VPN User Authentication with Duo IdP
The Aviatrix UserVPN solution provides Duo authentication integration. This document helps you to set up Duo to connect with Aviatrix.
You need to first have a Duo account. If you do not have one, please see https://www.duosecurity.com/product.
Getting Duo API Credentials
This step requires admin privileges in Duo. |
You must first add an application to Duo for Aviatrix before you can connect. If you have already completed this step, these same steps will take you to the API credentials needed to connect Aviatrix with this application.
-
Log in to the Duo Admin Panel.
-
Navigate to Applications.
-
Click Protect an Application.
-
Search for "OpenVPN" in the application list.
-
Click Protect this Application.
-
The Integration key, Secret key and API hostname are displayed.
You will need these values in Aviatrix to connect Aviatrix client to Duo.
-
(optional) Update the Settings fields as required.
-
(optional) Click Save Changes.
You may need to adjust policies to allow this application to be visible to your users. |
Connecting Aviatrix VPN with Duo
You can set up Duo either at Aviatrix VPN Gateway launch time or after the Aviatrix VPN Gateway is launched. We highly recommend you configure Duo after the VPN Gateway is launched. |
-
Follow the steps to create a new Aviatrix Gateway.
-
After the gateway is launched, in Aviatrix CoPilot, go to Cloud Fabric > UserVPN > select the VPN Gateways tab > click the Edit icon next to the gateway.
-
Under Authentication, click on the dropdown menu and select Duo.
-
Populate Integration Key, Secret Key, and API Hostname from the values provided by Duo application details.
-
Update the Push Mode.
Push Mode Description Auto
Duo sends a push notification to the user’s mobile device(s). The VPN client will wait for the user to accept this request before authenticating and proceeding.
Selective
This setting allows users to control which method they would prefer to use for authentication. The server supports either Duo Push or Duo Passcode. The password prompt field of the VPN client is used to indicate which method is requested:
-
A value of
#push
indicates the user requests to receive a push notification. -
A value of
#<passcode>
indicates the user is providing the token -
A value of
#push
indicates the user requests to receive a push notification. -
A value of
#<passcode>
indicates the user is providing the token after the "#" to authorize.
The
#
is required. If you are also connecting with LDAP, then the user’s LDAP password should be provided before the #.Token
The user must enter the current Duo Passcode in the password field when prompted by the VPN client. If the client prompts for a username, any value is acceptable.
-
-
Click Save.
Validating
You will need one Aviatrix VPN user to test. Validate that a VPN user is able to connect after receiving the push notification (or after entering a valid Passcode).
Using Auto Push Mode
-
Connect your VPN client to the VPN Gateway.
You should receive a push notification from Duo.
-
Open the Duo Mobile app and select Confirm for the pending request.
Once you confirm the request, the VPN client should proceed to authenticate the user.
-
Verify you are connected and can access resources in the cloud.
Using Token Push Mode
-
Connect your VPN client to the VPN Gateway.
You should receive a prompt to authenticate. If you do not receive a prompt, make sure
auth-user-pass
option is in the .ovpn configuration file. -
Open the Duo Mobile app and generate a new passcode.
-
In the VPN user/password prompt, enter any value for the username field and enter the passcode from Duo Mobile app for the password.
-
Verify you are connected and can access resources in the cloud.
-
Note that you need to generate a new passcode for each connection.