Configure pfsense for 2FA using Duo RADIUS auth proxy with NPS

Guide assumes that you have an installation of pfsense. Further assumes you have an account with Duo security. Third, assumes you have setup and configured some form of RADIUS authentication, in that case using Windows Server Network Policy Server.

Requirements

1.       Server to run the RADIUS

2.       Server to run Duo Auth Proxy application.

a.       Either linux or windows. This guide will be using windows server

b.       Future guide will be used to setup the linux version

3.       Both functions can be on the same server, but we will need to change the default port numbers to get it working.

Steps

1.       Go to admin.dousecurity.com and configure a new RADIUS application

2.       Download and install the Duo Auth Proxy application on the proxy server. This can be the same server as the RADIUS function, but will require changing port numbers. For higher performance applications using separate servers is recommended

3.       In the NPS, configure the duo auth proxy server as a RADIUS client

4.       In pfsense configure duo auth proxy as a RADIUS authentication server

5.       In pfsense create a group and assign permissions as necessary. IE pfsense-admins group and assign admin permissions

6.       In NPS configure the connection policies that will allow authentication on the pfsense. Be sure to include the name of the pfsense group the user should be a part of as a class attribute.

7.       Configure the duo auth proxy application using the duo security information and by pointing to the NPS server as the RADIUS client. Be sure to include “pass_through_all=true” variable to pass through the class attribute to the pfsense server to assign groups properly.