2026-03-25
SecurityMFAActive Directory

Deploying Cisco Duo MFA Across the Lab

Ron Craighead
Ron Craighead CISSP | AIGP — Founder & Principal Consultant, CyberFlight

Why Duo

PrivacyIDEA served as our first MFA solution — self-hosted, TOTP-based, running in Docker on cainfra01. It worked, but the user experience was painful: manually typing 6-digit codes from an authenticator app for every logon. And the admin overhead of managing a self-hosted TOTP server wasn't justified for a lab environment.

Cisco Duo offered three things PrivacyIDEA couldn't:

  • Push-based authentication. Tap "Approve" on your phone instead of typing codes.
  • Free tier for up to 10 users. More than enough for a lab.
  • Industry-standard experience. Duo is deployed at thousands of enterprises — learning it here translates directly to production environments.

Architecture

Duo's architecture for on-premises AD environments uses an Authentication Proxy — a lightweight service that sits between your applications and Duo's cloud:

  • Duo Authentication Proxy deployed on cainfra01, listening on RADIUS port 1812
  • AD service account (svc-duo) with read-only access for user lookups
  • Duo-MFA-Users security group in AD to control which accounts require MFA

Deployment Steps

1. Remove PrivacyIDEA

Stopped and removed the PrivacyIDEA Docker containers from cainfra01. Cleaned up the nginx reverse proxy configuration and DNS records.

2. Duo Authentication Proxy

Installed the Duo Authentication Proxy on cainfra01. Configured authproxy.cfg with:

  • AD/LDAP connection to CADC01 for user authentication
  • Duo API credentials (integration key, secret key, API hostname)
  • RADIUS server section listening on port 1812

3. Duo for Windows Logon

Installed the Duo Authentication for Windows Logon MSI on CADC01 (primary domain controller). Configuration required setting registry keys manually — the MSI silent install parameters don't apply correctly.

  • AutoPush: Enabled — automatically sends a push notification on logon
  • FailOpen: Enabled — allows logon if Duo cloud is unreachable (lab environment, not production-appropriate)
  • Protected: Windows logon + RDP sessions

4. User Enrollment

Added lab accounts to the Duo-MFA-Users group, then enrolled devices through Duo's self-service portal. Each user gets a push notification on their phone for every logon attempt.

Future: VPN MFA via RADIUS

The Authentication Proxy's RADIUS interface is ready for VPN integration. When we deploy WireGuard with authentication, the VPN client will authenticate against RADIUS → Duo Auth Proxy → AD + Duo push. Same MFA experience, extended to remote access.

Key Takeaways

  • Push beats TOTP. The reduction in friction is massive — "tap approve" vs "open app, find code, type 6 digits before it expires."
  • Duo MSI silent install is broken. The installer accepts parameters but doesn't apply them. Set registry keys manually after install.
  • RADIUS is the universal adapter. Once the Auth Proxy is running, any RADIUS-capable application gets Duo MFA for free.
  • Free tier is genuinely usable. 10 users, push authentication, AD integration — no credit card required.
← All Posts