This document describes the overall process for creating and migrating applications to Duo two-factor authentication in the U-M environments. Beginning July 20, 2016, the university will begin using Duo for two-factor authentication instead of MTokens.
Simple SSH and RDP Applications
The following steps are the end-to-end process to set up two-factor authentication with Duo for Windows RDP (Remote Desktop Protocol) or for SSH on your Unix server in the Duo Production environment. This is for configurations using only U-M default policy settings and no trusted networks or devices. For more complex configurations, see the steps below under Other Applications.
- Submit service request.
Submit a service request for the ITS Identity and Access Management (IAM) Operations team to create the application in the U-M production sub-account. In the request, include:
- The type of Application (i.e., SSH or RDP)
- The name of the application that needs to be migrated in the service request - refer to Duo Naming Conventions for the guidelines
The application migration and registration process will take 1-3 days from the time the service request is received by ITS IAM.
- ITS creates the application and communicates secure information.
ITS IAM runs a create script to create the application in the production sub-account. ITS communicates the i-Key, s-Key, and application host name back to the systems administrator viaU-M Box. - Run the SSH or RPD installation steps.
Refer to the applicable procedure to complete the installation steps:
Other Applications
Other applications will be staged in the Test environment, then copied to Production. Other applications include:
- Any configuration that you would like to test prior to migrating to production
- Routers or other appliances that use RADIUS or LDAP for two-factor support
- Configurations that need to specify trusted networks or devices
- Configurations that need to restrict the allowable token devices
The end-to-end process detailed in the following steps is to request administrative access in the Duo Test environment, create and test your application in the Duo Test environment, and then have ITS copy the application into the Duo Production environment.
- Submit an OARS (Online Access Request System) request for access.
Submit an OARS request for the Duo Application Manager role. On the OARS Request page, you will find this role under IAM / Two-Factor / MCommunity. Please submit a separate request for each person who will need the access and include the person’s cell phone number in the comments of the request. You will receive instructions on how to access the the Duo Test environment 1-3 days from the time the service request is received by ITS IAM. - Create and test your application in the Duo Test environment.
Go to the Duo Test environment and refer to Duo’s Protecting an Application instructions to create and test your application using the following settings:
- New user policy should be Deny, to match Production.
- Trusted Networks are strongly discouraged.
If the application requires the use of the Auth Proxy to integrate with Duo (Bomgar, Palo Alto SSL VPN, VMWare View, etc.), submit a service request to the ITS Service Center to set up your application on the Test proxy:
- Provide the IP addresses of all applications that will be protected for the authproxy.cfg settings.
- There will also be a shared secret (i.e., plain-text random text string) between the Auth Proxy and the application. ITS will create it and share it with you. The configurations will be shared via
U-M Box.
- Submit service request.
Submit a service request to the ITS Service Center for the ITS IAM Operations team to migrate the application to the U-M production sub-account. Include the name of the application that needs to be migrated in the service request. - ITS migrates the application.
ITS runs a migrate script to copy the application from the non-production sub-account to the production sub-account. For applications that use the Auth Proxy (e.g., Array SSL VPN, Bomgar, VMWare View, etc.), ITS migrates the settings from authproxy.cfg to the prod Auth Proxy as necessary. - ITS provides information.
ITS communicates the i-Key, s-Key, and application host name back to the systems administrator viaU-M Box.
Event Logging
The Duo application collects event logs containing information about authentication, changes to applications, and changes to the Duo application itself.
Refer to Duo Administrative Access and Account Structure for descriptions of who is granted administrative roles in the Duo application. Access to the event logs in highly restricted. To report an IT security incident to be investigated in the event logs, contact the ITS Service Center.