Compare, Buy, and Save on Your Next Cellphone Purchase!

Mobile Phones UK

Subscribe to Mobile Phones UK: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Mobile Phones UK: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Mobile Phones UK Authors: Alin Irimie, Aelvish Manvar, Melanie Marten, Jason Bloomberg, Corey Roth

Related Topics: Mobile Phones

Blog Feed Post

Integrating Duo Security with F5 BIG-IP Access Policy Manager

Duo Security integrates into F5 BIG-IP Access Policy Manager as a full featured two factor authentication solution and offers inline self-enrollment and an interactive, user-friendly login experience that enables the user to select from a wide range of authenticators: Duo Push, Duo Mobile, phone callback, SMS passcodes, and even hard tokens. This integration guide was built for BIG-IP Version 11.4  or newer and provides a detailed step by step install with included screenshots of both the Duo and BIGIP configuration.


The Duo Authentication Proxy is required and can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient)

I installed this on a Windows Server 2008 R2 running on ESXi 5.5.

This is tested to work on 11.4 and greater and the lab this was tested in was utilizing BIG-IP Version 11.6.0 HF4. There are three kinds of deployment scenarios for the Duo Authentication Two Factor Solution. These can be used in tandem as is utilized in this lab. One is much like any other one-time-passcode solution (Requires Duo Mobile App) the other utilizes Duo Push (Requires Duo Mobile App) which pushes a notification to your mobile device and allows you to select Approve/Deny. The third calls your mobile and you are then asked to press any button on your keypad to Approve the session. (Requires Duo Mobile App)

You will follow this guide off of Duo’s Website to configure the Windows Server 2008 R2 or Linux install of Duo Security or you can follow the step by step guide which is included below in the Windows Server 2008 R2 install section.

Link to Guide:

Your BIG-IP Access Policy will look similar to the following. I have a secondary login page as to not confuse the users logging in to my lab. Most enterprises use one single login page that requires some form of authentication + two factor like Duo Security.

BIG-IP v11.4.x

Click on the item and then insert the following JS snippet at the end of the Advanced Customization Editor Footer within Access Policy > Customization > (The Duo Security Access Policy) > Common > text input box and click Save:

script src=""

Change the XXXXXX above to match the API for this configuration within your Duo Security Account online. Also make sure to use the proper html syntax for the script tags. Removed here to avoid conflicts.


BIG-IP v11.5+

Instead of the you have to make the change to the configuration item located in the same spot within the UI and then insert the following JS snippet at the end of the Advanced Customization Editor Footer text input box and click Save:

script src=""

As mentioned above be sure to change XXXXXXX to match the API key for the configuration with your Duo Security Online Web Account. Also make sure to use the proper html syntax for the script tags. Removed here to avoid conflicts.


Windows Server 2008 R2 Installation

  1. Download the Duo Authentication Proxy for Windows
  2. On the Windows system you have chosen to host the Duo Authentication Proxy, launch the proxy installer and follow the on-screen prompts. I setup the Authentication Proxy in a Virtual Machine on VMware ESXi running Windows Server 2008R2.
  3. Copy the DuoAuthProxy exe file to the Machine you are installing the Duo Authentication Proxy to. I chose 2.4.11 as shown below in the screenshot. Double-click on the installer.


  4. Click I Agree through the EULA.


  5. The installation will commence as shown below.


  6. Click on Close to finish the installer as shown below.



As per the Duo Documentation on the website, after the installation completes, you will need to configure the proxy. The Duo Authentication Proxy configuration file is named authproxy.cfg, and is located in the conf subdirectory of the proxy installation. With default installation paths, the proxy configuration file will be located at:

  • Windows (64-bit) - C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Windows (32-bit) - C:\Program Files\Duo Security Authentication Proxy\conf\authproxy.cfg
  • Linux - /opt/duoauthproxy/conf/authproxy.cfg

The configuration file is formatted as a simple INI file. Section headings appear as:


Individual properties beneath a section appear as:


The Authentication Proxy may include an existing authproxy.cfg with some example content. For the purposes of these instructions, however, you should delete the existing content and start with a blank text file. We recommend using WordPad or another text editor instead of Notepad when editing the config file on Windows

Configure the Proxy for Your Primary Authenticator

For the primary authenticator, you can use either RADIUS or Active Directory or a combination of the two. This example uses both. It keys of of RADIUS (Duo) as an AAA object with APM and performs a check to make sure the user is configured with the Duo service within Active Directory.

  1. In this step, you’ll set up the Proxy’s primary authenticator - the system which will validate users’ existing passwords. In most cases, this means configuring the Proxy to communicate with Active Directory or RADIUS. The required and optional field parameters for the ad_client and radius_client sections are linked directly from the Duo Security site. The example configuration for this article is below.
    service_account_password=(Left Blank)
    security_group_dn=CN=Duo Security Users,OU=Duo Security User Groups,OU=Duo Security,OU=UTS Custom,DC=uts,DC=local
    radius_secret_1=(Password Here)
  2. Retrieve the Integration Key, Secre Key, and API Hostname from your Duo Account


  3. Ensure that you have a username provisioned in your Duo account that has a phone attached and provisioned for the Active Directory or LDAP user account you are using on the initial login through the APM access policy


    See phone number in the Godar account as per below:


  4. Restart the Duo Service in services.msc


APM Configuration

  • AAA Config


  • APM Visual Policy


  • APM Visual Policy Macros
    • 2-Factor Auth Decision



    • Duo Auth



APM IFRAME Footer in APM Policy

You will put this in the footer of the APM policy that is using the Duo Configuration. This allows the iFrame to pop up after you have added your username to the Duo account online. This will allow text, push, or call methods by accessing this api/js.


Read the original blog entry...

More Stories By Jason Rahm

Experienced predominantly in the networking realm over the last dozen or so years, Jason is expanding his horizons towards systems management and even trying his hand at python.

Jason assists in the maintenance duties for, contributes frequently in the forums, and writes weekly on some cool geekery in the F5 product lines. When not working, Jason enjoys spending time with his beautiful wife Michelle and his four children. He is active and volunteers network administration duties at his church and if there are any remaining minutes in the week, he enjoys Wii & XBOX, tennis, racquetball, softball, etc. He does not enjoy running, but does (scratch that, thinks about doing) it anyway to recover his youthful appearance.