Integrating CyberArk’s PAS Solution With DUO’s 2FA

CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.

In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.

Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.

The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg 

The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg

The firewall must allow outbound traffic to the Duo instance using HTTPS.

Only on successful primary and secondary authentication, access to the PVWA is granted.