How do I use Duo to enable 2FA for connections to VNC Server?

Follow

This article provides the steps for a basic set up with VNC Server requiring 2FA for all connections. This is achieved using Duo's Authentication Proxy and Duo Free. For more information about Duo see https://duo.com/

This article is written using Windows as the Operating System for Duo Authentication Proxy and VNC Server. Any Operating System can be used for VNC Viewer, including VNC Viewer for Android and VNC Viewer for iOS.

If you have a single VNC Server, Duo Authentication Proxy can be installed on the same computer as VNC Server.
If you have multiple VNC Servers, Duo Authentication Proxy only needs to be installed on one of the VNC Server computers.

Part 1 - Duo Account, Duo Application and Duo Users

Sign up for a Duo account

  1. Sign up for a Duo account: https://signup.duo.com/
  2. After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard

Add RADIUS as a Protected Application

  1. In the Admin Dashboard, click Applications, then click Protect an Application
  2. Search for RADIUS and click Protect next to the RADIUS option (padlock icon)
  3. On the next screen, you will be shown an Integration key, Secret key, and API hostname. You will need these when configuring Duo Authentication Proxy (below)

Add Users

Admin Dashboard

  1. In the Admin Dashboard, click Users, then click Add User
  2. Enter the username of the user to add
    This should match the username you use when connecting to VNC Server
  3. Fill in your full name and email address and click Save Changes
  4. At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner

User Enrolment

  1. Click the link in the enrolment email once you have received it
  2. Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device

Part 2 - Duo Authentication Proxy

Installing Duo Authentication Proxy

  1. Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe
    Note that the actual filename will reflect the version e.g. duoauthproxy-5.4.0.exe. View checksums for Duo downloads here
  2. Run the Authentication Proxy installer and follow the on-screen prompts
  3. When the installer finishes, clear the "Open Authentication Proxy configuration file" checkbox and click Finish

Further information about installation can be found here: https://duo.com/docs/authproxy-reference#installation

Configuring Duo Authentication Proxy

  1. Open Notepad as Administrator by searching for Notepad in the Start Menu, then right click the Notepad app result and click Run as administrator
  2. Click File then click Open and navigate to C:\Program Files\Duo Security Authentication Proxy\conf
  3. Change the dropdown in the bottom right from Text Documents to All Files.
  4. Double-click the authproxy.cfg file to open it
  5. Locate the [radius_server_auto] section, and change it to [radius_server_challenge]
  6. Configure the settings listed in authproxy.cfg as per the below:
    • ikey
      Set this using the Integration key for the RADIUS application from the Duo Admin Dashboard
    • skey
      Change skey to skey_protected
      Next, open Command Prompt from the Start Menu and run the following command (including the quotes): "C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_passwd.exe" mysecretkey
      (where mysecretkey is the Secret key for the RADIUS application from the Duo Admin Dashboard)
      This will generate a long string. Copy this and paste it after skey_protected= , e.g. skey_protected=xxxYYYzzz
    • api_host
      Set this using the API hostname for the RADIUS application from the Duo Admin Dashboard
    • radius_ip_1
      If you have a single VNC Server, set radius_ip_1 to IP address of the VNC Server computer, e.g. radius_ip_1=192.168.1.10/32
      If you have multiple VNC Servers, set radius_ip_1 to the IP address subnet of your network, e.g. radius_ip_1=192.168.1.1/24
    • radius_secret_1
      Change radius_secret_1 to radius_secret_protected_1
      This is the secret that you will also use in VNC Server. Choose a secret that you want to use and make a note of it, you will need it when you configure VNC Server.
      Next, open Command Prompt from the Start Menu and run the following command (including the quotes): "C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_passwd.exe"
      Type in the secret that you chose above, and re-enter it when prompted. This will generate a long string. Copy this and paste it after radius_secret_protected_1= , e.g. radius_secret_protected_1=xxxYYYzzz
    • failmode
      Change failmode=safe to failmode=secure
    • client
      Change client=ad_client to client=duo_only_client
    • Add a new line below port=1812 that reads: prompt_form=console
  7. Add a blank line after prompt_form=console, and then add another new line that reads: [duo_only_client]
  8. Save and close the file
  9. Open Services.msc from the Start Menu, locate the Duo Security Authentication Proxy Service and (re)start it. If you receive an error, please check your configuration file.

Further information about configuration can be found here: https://duo.com/docs/authproxy-reference#configuration

Part 3 - VNC Server

Configuring VNC Server

  1. Open VNC Server's Options
  2. Change the Authentication dropdown to Windows password + RADIUS authentication
  3. Click Set up VNC Server for RADIUS...
  4. Configure the settings shown as per the below:
    • RADIUS server
      This is the IP address of the computer running Duo Authentication Proxy, e.g. 192.168.1.10
    • RADIUS secret
      This is the RADIUS secret that you chose earlier when configuring Duo Authentication Proxy. This should be entered as the plain text secret and not the converted secret saved in authproxy.cfg
    • Client IP address
      Left blank
    • VNC Viewer prompt
      Left blank - delete the default prompt
      Set this using the API hostname for the RADIUS application from the Duo Admin Dashboard
    • Authentication protocol
      Set to PAP
    • Timeout
      Leave as 60
  5. Click OK, then click Apply followed by OK to close the Options window

Part 4 - VNC Viewer

Connecting

  1. Connect to your VNC Server as normal using VNC Viewer
  2. Enter your username and password for the remote computer, i.e. your Windows username and password
  3. You will see a prompt for your 2FA login
    duoprompt.png
  4. You can either 
    1. Enter a passcode from the Duo Mobile app
    2. Receive a push notification to approve/deny the login attempt
    3. Receive an SMS passcode to enter
  5. After successfully authenticating via Duo, you will be connected to your VNC Server
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.