...
- Submit a Service Request to the OIT Security team to create a Duo "Integration"
- For Duo, a unique "integration" should be setup for a specific hostname and service that wants to be protected, in order to categorize specific policy and audit logs for that host and service. For example, the SSH service on xyz.uci.edu or the RDP service on abc.uci.edu
- If the service you are trying to protect is a web application that uses WebAuth, please see Protecting Your Web Application Using WebAuth And Duo Multi-Factor Authentication
- What you need to tell OIT Security:
- Go to the Request a New Duo Multifactor Authentication Integration form, complete the form as described, and click Order Now.
- What OIT Security will give you:
- Integration key
- Secret key
- API hostname
- Download the Duo integration agent binary and installation instructions from https://www.duosecurity.com/docs
- Use the information from step 1.d. to configure the integration agent.
- Other important settings to decide on when configuring the integration agent include:
- Whether to use auto-push or not. If enabled that will automatically send a Duo Push request after the first factor successfully authenticates. However keep in mind some users may not have a data signal or be using a temporary bypass code if they lost their device, so for some environments like unix where you can't cancel an auto-push request it is not recommended.
- Whether to "fail-safe" or "fail-secure", meaning if the Duo cloud authentication server is unreachable from the integration agent on the network, will it deny access (secure) or continue to allow access via single-factor authentication (safe) until it is reachable again.
- There are other settings specific to the type of integration agent (such as RDP vs Console, SSH vs PAM, group based challenges), please read the installation instructions for details.
- Other important settings to decide on when configuring the integration agent include:
- More information on configuring specific systems: