This document describes the overall process for creating and migrating applications to Duo two-factor authentication in the U-M environments.
Simple SSH and RDP Applications
The following steps are the end-to-end process to set up two-factor authentication with Duo for Windows RDP (Remote Desktop Protocol) or for SSH on your Unix server in the Duo Production environment. This is for configurations using only U-M default policy settings and no trusted networks or devices. For more complex configurations, see the steps below under Other Applications.
- Submit service request.
Submit a service request for the ITS Identity and Access Management (IAM) Operations team to create the application in the U-M production sub-account. In the request, include:
- The type of Application (i.e., SSH or RDP)
- The name of the application that needs to be migrated in the service request (refer to Duo Naming Conventions for the guidelines)
The application migration and registration process will take one-three days from the time the service request is received by ITS IAM.
- ITS creates the application and communicates secure information.
ITS IAM runs a create script to create the application in the production sub-account. ITS communicates the i-Key, s-Key, and application host name back to the systems administrator via U-M Box.
- Run the SSH or RPD installation steps.
Refer to the applicable procedure to complete the installation steps:
Other applications types may also be available for integrations other than RDP or SSH:
- Routers or other appliances that use RADIUS or LDAP for two-factor support
- Configurations that need to specify trusted networks or devices
- Configurations that need to restrict the allowable token devices IAM staff can assist with these configurations.
Submit a service request to the ITS Service Center for the ITS IAM Operations team to create the application in the U-M production sub-account. Include the name of the application that needs to be created in the service request. ITS will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Box.
If the application requires the use of the Auth Proxy to integrate with Duo, additional configuration is needed to set up your application on the proxy:
- Provide the IP addresses of all applications that will be protected for the authproxy.cfg settings.
- There will also be a shared secret (plain-text random text string) between the Auth Proxy and the application. ITS will create it and share it with you. The configurations will be shared via U-M Box.
The Duo application collects event logs containing information about authentication, changes to applications, and changes to the Duo application itself.
Access to the event logs in highly restricted. To report an IT security incident to be investigated in the event logs, contact the ITS Service Center.