Like many 2FA solutions, Duo allows network devices, such as WTI device and products to integrate with its service using the RADIUS protocol.
To enable Duo 2FA for your WTI Device, follow the steps at: https://duo.com/docs/radius
When following the above instructions, please note:
- According to Duo's terminology, the WTI Device is the "RADIUS device" that runs a "RADIUS client" to connect to the Duo authentication proxy
- In Duo's Network Diagram section, the WTI Device is the "Application or Service"
- To enable WTI's RADIUS Dictionary capability to control user authorization, you must also:
- Use a "real" RADIUS server as your primary authenticator, i.e. configure the [radius_client] section of authproxy.cfg
- In this section set: pass_through_all=true
Duo proxy config: authproxy.cfg
The Duo proxy config file should be on the machine you installed the Duo proxy program, at this file location:
The actual primary authenticator,RADIUS server is at
The WTI Device is
WTI Device configuration
Duo recommend setting the RADIUS device's client to retry 10 times with a timeout of 10 seconds to allow enough time for the proxy to contact its cloud service and the user to interact.
Where the Duo authentication proxy is at 192.168.100.70:
Set the WTI Device RADIUS settings to the following:
- Primary Host/Address: 192.168.100.70
- Primary Secret Word: duoproxysecret
- Fallback Timer: 10 Sec
- Retries: 10
- Session Module Type: Disable
If you are using the web interface
- OneTime Auth: On
- OneTime Auth Timer: 5
You may test as per the Duo instructions, e.g. login to the WTI Device specifying the password as: password123,123456 (where your primary authenticator RADIUS password is password123 and your Duo code is 123456). You can also use the DUO Push, Text or Phone call to test your configuration.
Ensure that the username exists on the primary authenticator RADIUS server and has also been enrolled using Duo's cloud portal.
This will get you to the RADIUS configuration menu