Today we’re going to setup DUO Authentication for the SonicWALL SSL, this will allow users to use 2FA when connecting to the VPN. When they are prompted, it’ll look like the image below. Before you proceed, make sure you have the SSL VPN setup, you can set that up using the SonicWALL guide found below
https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-ssl-vpn/170505609285133/

Duo Admin Portal Setup

1. Log into the DUO Admin Portal and select the desired customer, you can find the link for the Admin Portal here https://admin.duosecurity.com/login?next=%2F
2. Select Applications on the left hand side and click Protect an Application
   
3. Search for Radius and click Protect
   
4. Note down the Integration key, Secret Key, and API hostname for later use
   
5. Name the Application SonicWALL SSLVPN, and adjust name normalization if needed. You can reference this KB if needed
   https://help.duo.com/s/article/3261?language=en_US#:~:text=The%20%22Username%20normalization%22%20option%20controls,to%20a%20Duo%20user%20account
   

DUO Authentication Proxy Setup

1. Install the Duo Authentication Proxy on a server, DUO recommends not installing this on a domain controller due to potential conflicts with ports. When installing make sure to check the Proxy Manager
   https://dl.duosecurity.com/duoauthproxy-latest.exe
   
2. Within the Proxy Manager, edit the authproxy.cfg with the code below. Reference the KB below if you need more information
   https://duo.com/docs/authproxy-reference

   [ad_client]
   host=SERVERNAME
   host_2=SERVERNAME2 (THIS LINE IS OPTIONAL)
   service_account_username=LDAP SERVICE ACCOUNT USERNAME 
   service_account_password=LDAP SERVICE ACCOUNT PASSWORD
   search_dn=DISTINGUISHED NAME OF AD DOMAIN
   security_group_dn=VPN GROUP DISTINGUISHED NAME
   
   [radius_server_auto]
   ikey=INTEGRATION KEY FROM DUO ADMIN PORTAL
   skey=SECRET KEY FROM DUO ADMIN PORTAL
   api_host=API HOSTNAME FROM DUO ADMIN PORTAL
   radius_ip_1=SONICWALL FIREWALL IP ADDRESS
   radius_secret_1=RADIUS SECRET KEY FOR LATER USE ON SONICWALL
   failmode=CAN EITHER BE SAFE OR SECURE (SAFE MEANS FAIL OPEN, SECURE MEANS FAIL CLOSE WHERE PRIMARY AUTHENTICATION IS SUCCESSFUL)
   client=ad_client
   port=1812

3. Once you have modified the authproxy.cfg, click Validate in the bottom left. It should show Validation passed. If not, please review what you entered.
   
4. Click the Save button in the bottom left
5. Click Start Service in the top right if it isn’t already started once saving
   

SonicWALL Setup

1. Go to Device > Users > Settings and click on the Configure button next to Configure RADIUS in the User Authentication Settings section
   
2. Within the Settings tab under RADIUS Servers, add the Hostname/IP Address of the server that you setup the DUO Authentication proxy on
   
3. Within the General Settings section use the following settings as recommended by DUO as well as checking Periodically check RADIUS servers that are downRADIUS Server Timeout (seconds) : 60
   Retries: 3
   
4. In the RADIUS Servers tab, hover over the RADIUS server you created and click the Edit Button
   
5. Enter in the Shared Secret that was previously created from the DUO Authentication Step for use here
   

Configuration should be all done now and it should work once tested, please let me know if you have any questions. Below is a diagram on how specifically it works step by step. 

Network Diagram

1. Primary authentication initiated by user logging into the NetExtender VPN

2. SonicWALL sends the authentication request to the Duo Security Authentication Proxy housed on the configured server

3. Primary authentication to Active Directory via LDAP using LDAP service account

4. Duo Authentication Proxy connection established to Duo Security over TCP port 443

5. Secondary authentication via Duo Security’s service

6. Duo Authentication Proxy on the configured server receives authentication response

7. SonicWALL receives authentication response, and NetExtender is given access