Duo: ADSync and Enroll Users via SMS

KB ID 0001648

Problem

Before you can use Duo 2FA/MFA you need to have your users enrolled. Theres a number of ways to enrol them, you can bulk email them, or manually add them. Below I’m going to Sync Duo with my Active Directory, so that if users are members of a specific AD group, they will ‘appear’ in the Duo Admin Portal. Then I’m going to enter a users mobile phone number and send them an SMS to enrol.

Tip: When setting up your Duo Account, I’d recommend creating as new user, just for Duo admin, you can use your own account, but it means enrolling twice.

Duo: Setup ADSync

Log into the Duo Admin Portal > Users > Directory Sync > Active Directory > Add New Active Directory Sync > Take note of the Integration Key, Secret Key, and the API hostname (copy them to a text file). Add your domain controllers (internal IP address(s) and set the port to 636 (LDAPS). Scroll down.

Duo AD Sync

Set the ‘Base DN’ of your domain, here I’m simply using the root of the domain, you can set to to a specific OU of you prefer. Scroll down.

Duo AD Sync Base DN

Select LDAPS > Paste in the PEM certificate file of your CA Server certificate. Save Directory.

Note: If you don’t know what a PEM file is, read this post.

Duo AD Sync LDAPS

On a member server in your domain, install the Duo Security Authentication Proxy software. (Note: This server needs TCP port 443 (HTTPS) outbound permitted on your corporate firewall.

Duo Authenitication Proxy

Navigate to C:\Program Files (x86) Duo Security Authentication Proxy/conf folder locate the authproxy.cfg file and open it with WORDPAD.

Duo AuthProxycfg

Delete the contents, and paste in the following, change the values in red to match you domain and put in the keys you coped to Notepad earlier;

[ad_client]
host=192.168.100.3
service_account_username=svc_duo
service_account_password=Password1
search_dn=dc=pnl,dc=com

[cloud]
ikey=XXXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Note: Where 192.168.100.3 is your domain controller, and svc_duo is the service account you created for the proxy service, and Password1 is the password for that account.

Duo AuthProxycfg example AD Sync

Then start the service with the following command;

net start DuoAuthProxy

Start Duo Proxy

Note: If your service wont start, you may need to grant your ‘service user’ some additional rights, see this post for further information.

Back in the Duo Admin Portal your ADSync should now say ‘Connected’.

Duo AD Sync Connected

Now you can see your groups, select the group that contains the users you want to sync.

Note: DON’T USE ‘Domain Users’, it wont work, neither will creating a group and putting the domain users group within it. Add your users, if theres a lot, you can bulk add users to the group.

Duo AD Sync Groups

Duo: Enrol Users via SMS

Obviously you will need know the users mobile phone number, and they will need to have the Duo app installed, this can be done on Android/iPhone/iPAD from either the App Store or Google Play. (The app is free).

Select your user in the portal  > Add Phone > Enter the mobile number > Add Phone.

Duo AD Assign Phone

Activate Duo Mobile.

Duo AD Activate Phone

Generate Duo Mobile Activation Code.

Duo AD Generate Activation Code

Send instructions by SMS.

Duo Send SMS Activation

On the users phone, they will see something like this, they need to click the link.

Duo Send SMS Activated

This is what it should look like when successful, (Note: The reason I have TWO entries is because I’m also the Duo Admin for this site).

Duo App

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *