Duo Security integrates into F5 BIG-IP Access Policy Manager as a full featured two factor authentication solution and offers inline self-enrollment and an interactive, user-friendly login experience that enables the user to select from a wide range of authenticators: Duo Push, Duo Mobile, phone callback, SMS passcodes, and even hard tokens. This integration guide was built for BIG-IP Version 11.4  or newer and provides a detailed step by step install with included screenshots of both the Duo and BIGIP configuration.

Prerequisites

The Duo Authentication Proxy is required and can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient)

I installed this on a Windows Server 2008 R2 running on ESXi 5.5.

This is tested to work on 11.4 and greater and the lab this was tested in was utilizing BIG-IP Version 11.6.0 HF4. There are three kinds of deployment scenarios for the Duo Authentication Two Factor Solution. These can be used in tandem as is utilized in this lab. One is much like any other one-time-passcode solution (Requires Duo Mobile App) the other utilizes Duo Push (Requires Duo Mobile App) which pushes a notification to your mobile device and allows you to select Approve/Deny. The third calls your mobile and you are then asked to press any button on your keypad to Approve the session. (Requires Duo Mobile App)

You will follow this guide off of Duo’s Website to configure the Windows Server 2008 R2 or Linux install of Duo Security or you can follow the step by step guide which is included below in the Windows Server 2008 R2 install section.

Link to Guide: https://www.duosecurity.com/docs/f5bigip

Your BIG-IP Access Policy will look similar to the following. I have a secondary login page as to not confuse the users logging in to my lab. Most enterprises use one single login page that requires some form of authentication + two factor like Duo Security.

BIG-IP v11.4.x

Click on the footer.inc item and then insert the following JS snippet at the end of the Advanced Customization Editor Footer within Access Policy > Customization > (The Duo Security Access Policy) > Common > footer.inc text input box and click Save:

script src="https://api-XXXXXXXX.duosecurity.com/frame/hosted/Duo-F5-BIG-IP-v1.js"

Change the XXXXXX above to match the API for this configuration within your Duo Security Account online. Also make sure to use the proper html syntax for the script tags. Removed here to avoid conflicts.

duo1.png

BIG-IP v11.5+

Instead of the footer.inc you have to make the change to the header.inc configuration item located in the same spot within the UI and then insert the following JS snippet at the end of the Advanced Customization Editor Footer text input box and click Save:

script src="https://api-XXXXXXXX.duosecurity.com/frame/hosted/Duo-F5-BIG-IP-v1.js"

As mentioned above be sure to change XXXXXXX to match the API key for the configuration with your Duo Security Online Web Account. Also make sure to use the proper html syntax for the script tags. Removed here to avoid conflicts.

duo2.png

Windows Server 2008 R2 Installation

  1. Download the Duo Authentication Proxy for Windows
  2. On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts. I setup the Authentication Proxy in a Virtual Machine on VMware ESXi running Windows Server 2008R2.
  3. Copy the DuoAuthProxy exe file to the Machine you are installing the Duo Authentication Proxy to. I chose 2.4.11 as shown below in the screenshot. Double-click on the installer.

    duo3.png

  4. Click I Agree through the EULA.

    Duo4

  5. The installation will commence as shown below.

    Duo5

  6. Click on Close to finish the installer as shown below.

    duo6.png

Post-Installation

As per the Duo Documentation on the website, after the installation completes, you will need to configure the proxy. The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

  • Windows (64-bit) - C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Windows (32-bit) - C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Linux - /opt/duoauthproxy/conf/authproxy.cfg

The configuration file is formatted as a simple INI file. Section headings appear as:

[section]

Individual properties beneath a section appear as:

name=value

The Authentication Proxy may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should delete the existing content and start with a blank text file. We recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows

Configure the Proxy for Your Primary Authenticator

For the primary authenticator, you can use either RADIUS or Active Directory or a combination of the two. This example uses both. It keys of of RADIUS (Duo) as an AAA object with APM and performs a check to make sure the user is configured with the Duo service within Active Directory.

  1. In this step, you’ll set up the Proxy’s primary authenticator - the system which will validate users’ existing passwords. In most cases, this means configuring the Proxy to communicate with Active Directory or RADIUS. The required and optional field parameters for the ad_client and radius_client sections are linked directly from the Duo Security site. The example configuration for this article is below.
    [ad_client]
    host=192.168.1.134
    service_account_username=duosvc
    service_account_password=(Left Blank)
    search_dn=DC=uts,DC=local
    security_group_dn=CN=Duo Security Users,OU=Duo Security User Groups,OU=Duo Security,OU=UTS Custom,DC=uts,DC=local
    
    [radius_server_iframe]
    type=f5_bigip
    ikey=****************
    skey=**************
    api_host=*****************
    radius_ip_1=192.168.1.135 (SELF IP OF THE LAN SEGMENT ON YOUR BIG-IP)
    radius_secret_1=(Password Here)
    failmode=safe
    client=ad_client
    port=1812
  2. Retrieve the Integration Key, Secre Key, and API Hostname from your Duo Account

    duo7.png

  3. Ensure that you have a username provisioned in your Duo account that has a phone attached and provisioned for the Active Directory or LDAP user account you are using on the initial login through the APM access policy

    duo8.png

    See phone number in the Godar account as per below:

    duo9.png

  4. Restart the Duo Service in services.msc

    duo10.png

APM Configuration

  • AAA Config

    duo11.png

  • APM Visual Policy

    duo12.png

  • APM Visual Policy Macros
    • 2-Factor Auth Decision

      duo13.png

      duo14.png

    • Duo Auth

      duo15.png

      duo16.png

APM IFRAME Footer in APM Policy

You will put this in the footer of the APM policy that is using the Duo Configuration. This allows the iFrame to pop up after you have added your username to the Duo account online. This will allow text, push, or call methods by accessing this api/js.

duo17.png