Junos OS

I have successfully implemented DUO Authentication Proxy for all administrative SSH logins. Now, when an administrator accesses a switch, the process includes a brief pause to allow for Duo Push approval via their mobile device. Please reach out if you would like a technical deep dive or more details on the configuration.

I implemented this on a Cisco ASA several years ago for RA VPN users. It would be interesting to see how it looks on the SRX.. Please go ahead and share.

Actually, I should have specified that I implemented this on the EX-series access-layer switches.

Here is a summary of the setup:

• In DUO Authentication Proxy config:
  • [ad_client] section points to the A/D server(s), search_dn, security_group_dn, and auth_type=sspi
  • [radius_server_auto] section has the usual confg entries to connect to DUO, plus force_message_authentication=true and the radius_ip_# and radius_secret_# lines, one pair for each device IP.
• On the EX switches, config RADIUS authentication for admins as normal
  • Set the timeout value to something like 30 (seconds)