Hi,
does anyone know if it is possible to setup Meraki with Duo and Windows Radius so that you need a hardware token to login into the VPN?
At the moment we use Meraki + Windows Radius + Duo MFA with mobile push and that’s working fine but we don’t want to buy everyone a smartphone just for using MFA.
We bought some feitian k9 plus but I couldn’t get it working. I’m also not sure how the token is supposed to communicate with Duo.
It doesn’t work and their support (Duo) was useless in helping. We could get folks logged in but then they’d get locked out of their accounts due to password being incorrect. They had a couple of fixes for us to try but nothing worked. We gave up and now have it in our remote work agreement that you need to own a smart phone for authentication purposes.
Not sure the need for hardware tokens, most people have a smartphone (doesn’t have to be a business phone, can be personal), but DUO does support tokens from some third parties and they offer their own D-100 fob:
Choose Your Token
Duo supports third-party hardware tokens, like Yubico’s YubiKeys, or any OATH HOTP-compatible tokens. Third-party hardware tokens can be imported into the system by an administrator.
Order Tokens Directly from Duo
Duo’s D-100 tokens have an expected minimum battery lifetime of 2 years. They are only available in increments of 10. You can purchase tokens from the Duo Admin Panel or through your Account Team.
https://duo.com/product/multi-factor-authentication-mfa/authentication-methods/tokens-and-passcodes
Thanks for your answers.
In the Documentation it says:
A numeric passcode:
Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. Examples: “123456” or “2345678”.
username: bob
password: hunter2,123456
This is clear for tokens that generate and display the code but how is it possible for hardware tokens that use hotp and only have a button?
Shouldn’t there be an option that uses the hardware token like
username: bob
*password: hunter2,*hotp
or something like that?
Of course the hardware token is added to the duo user.
What about using SAML?
feitian k9 is a FIDO security key, which is not yet supported by Meraki VPN natively (however you can use a workaround, but then Duo is out of the equation).
Some K9 models have HOTP functionality, which can be used with Duo. You need special software (ask your vendor) to write a random HOTP seed to the device, then import it to the Duo admin panel.
You need to use SAML instead of RADIUS, and then it is possible.
I can confirm Duo do support 3rd party hardware tokens, and the process should be pretty similar regardless of which provider you use (see our wiki guide for an example using SafeID tokens with Duo).