SSL VPN with Hardware Tokens

Currently using Duo with the phone app, which I got to work just fine. What I was hoping for is to use hardware tokens instead of the phone app. Yet I see no way to do this. Anyone doing this?


  • You can do it. We are. You just have to add the hardware token to the users Duo Account.

  • I have added it to the Duo account. I guess I just don't understand the process. After adding it then what? The Yubikey is attached to my USB port. I start the SSL VPN client. If I type in my password it activates the app on my phone. How does the key interact with the client?

  • edited June 2019

    You will also have to setup a Duo Authentication Gateway and modify your Firewall settings by adding an LDAP server. Users will then login with their password, a comma, then tap the Yubikey.

  • Does it have to be LDAP? I have radius working already with Duo.

  • I think I am close. Inside the DUO console I see it trying to work. Says the Yubikey password is incorrect. Though I imported it correctly, maybe not.

  • be sure you are adding a comma between your actual password and your yubikey OTP. Also, did you add your Yubikey as a Hardware Token or WebAuthn/2UF? I'm pretty sure it has to be added as a Hardware token which will require you to confirm the Yubikey (if you didn't already).

  • If you are seeing the Authentication attempts in Duo using RADIUS, that's a pretty good sign!

  • I am using the comma with no spaces. Not sure what I am doing wrong. Its is setup for OTP. Its been imported and my login attached. The slots have me a little confused though.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @KevCar @BrianSteingraber

    If you end up using RADIUS, be aware that the max password length is 63 characters, which can be an issue with the long key the Yubikey produces.

    There's currently a feature request open (FBX-3735) to increase that, but the limitation (password,yubikey) has to be 63 characters total or less.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • With my password and what the yubikey enters it equals 53. 54 if you count the comma so its with in the limitation.

  • Did a validation test at Yubico and it came back valid. So I am clueless as to what it is I am doing wrong. Maybe I should switch from radius to ldap.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,

    RADIUS is plaintext -- with the exception of the password hash, so if you run WireShark you can generally determine where the failure is coming from. If you need assistance doing that, I'd suggest opening a case with WatchGuard, in order to keep any details about your setup private.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • That is an old version of the documentation - This is slightly newer (September 2016).. and might provide additional clues as to the problem.

    Adrian from Australia

  • WORKING!!!!!!!! Switching to LDAP seems to have fixed the issue. Would rather use that anyway. Thanks for all your help.

Sign In to comment.