Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

So you are an intelligent and highly security conscious system administrator who wants to protect the systems you administer with multi-factor authentication to better secure its users and data?  Please follow these instructions to get started.

  1. Contact the OIT Security team (security@uci.edu) to create a Duo "Integration"
    1. For Duo, a unique "integration" should be setup for a specific hostname and service that wants to be protected, in order to categorize specific policy and audit logs for that host and service.  For example, the SSH service on xyz.uci.edu or the RDP service on abc.uci.edu
    2. If the service you are trying to protect is a web application that uses WebAuth, please see Protecting Your Web Application Using WebAuth And Duo Multi-Factor Authentication
    3. What you need to tell OIT Security:
      1. Hostname
      2. Service (Windows RDP/Console, Unix SSH/Sudo, Web, Radius, or other https://www.duosecurity.com/docs)
      3. Unenrolled user policy- whether you want to allow users without Duo tokens to still be allowed access via normal single factor authentication, or if you want to deny all access unless they have a Duo token.  (Note: users with Duo tokens will always be required to use two-factor authentication)
    4. What OIT Security will give you:
      1. Integration key
      2. Secret key
      3. API hostname
  2. Download the Duo integration agent binary and installation instructions from https://www.duosecurity.com/docs
    1. Unix: https://www.duosecurity.com/docs/duounix
    2. Windows: https://www.duosecurity.com/docs/rdp
  3. Use the information from step 1.d. to configure the integration agent.
    1. Other important settings to decide on when configuring the integration agent include:
      1. Whether to use auto-push or not.  If enabled that will automatically send a Duo Push request after the first factor successfully authenticates.  However keep in mind some users may not have a data signal or be using a temporary bypass code if they lost their device, so for some environments like unix where you can't cancel an auto-push request it is not recommended.
      2. Whether to "fail-safe" or "fail-secure", meaning if the Duo cloud authentication server is unreachable from the integration agent on the network, will it deny access (secure) or continue to allow access via single-factor authentication (safe) until it is reachable again.
      3. There are other settings specific to the type of integration agent (such as RDP vs Console, SSH vs PAM, group based challenges), please read the installation instructions for details.
  4. More information on configuring specific systems:
    1. Setting up CentOS to use Duo two factor authentication for ssh and sudo
    2. /wiki/spaces/SEC/pages/20383664
  • No labels