Duo Two-Factor Authentication for SonicWALL SRA or SMA 100 Series SSL VPN - FAQ

Does the Duo inline web prompt work with SMA devices?

The SonicWall Secure Mobile Access (SMA) SMA 100 series includes the SMA 200, SMA 400, and SMA 500v. Support for the inline Duo Prompt on SMA 100 series devices differs by firmware version:

• 10.0.0.0-16 and later: Supported. Users see the interactive Duo Prompt during browser login when the SSL VPN is configured to use radius_server_iframe.

  • "Contemporary mode" supports the Duo interactive prompt as of 10.2.1.0-17.
  • SonicWall discontinued SMA v10.0 support in October 2020 (update to 10.1.x or 10.2.x). SonicWall Product Lifecycles

• 9.0.0.2-13 and later: Supported. Users see the interactive Duo Prompt during browser login when the SSL VPN is configured to use radius_server_iframe.

  • SonicWall has issued a zero-day vulnerability alert for firmware versions below 9.0.0.10.

• 9.0.0.0 to 9.0.0.1-11: Unsupported. To integrate with Duo on v9.0.x firmware versions before 9.0.0.2-13, you will need to use the radius_server_auto configuration.

• 8.6.0.0 to 8.6.0.9-19: Unsupported. To integrate with Duo on 8.6, you will need to use the radius_server_auto configuration (note that v8.x firmwares are end-of-life per SonicWall).

SRA devices which have reached end of life, which includes SRA 1600, SRA 4600, SRA EX6000, and SRA EX7000, are excluded.

Does the Duo inline web prompt work with the SRA Web Application Firewall?

You may find that the inline Duo authentication prompt is not displayed when the SonicWALL Web Application Firewall (WAF) for the SRA series is enabled. This happens when the WAF signature "Cross-site Scripting (XSS) Attack" blocks initialization of the Duo script.

To remedy this, log in to your SRA administrator console and navigate to the "Web Application Firewall > Signatures" page. Locate signature "9008 Cross-site Scripting (XSS) Attack" and click the Edit Signature Settings icon. On the "Edit WAF Signature-based Exclusions" page, change the action for the "Cross-site Scripting (XSS) Attack" signature to DETECT and click the Accept button. Click the Accept button at the top of the "Web Application Firewall > Signatures" page to deploy the change.

If your environment requires WAF prevention of XSS scripts, please use the VPN Client SRA SSL VPN deployment. That configuration does not use cross-site scripting.

Does Duo support the SonicWall SMA 1000 Series?

While Duo does not explicitly support SMA 1000 series devices with step-by-step instructions or with the Duo web prompt, you may be able to use our generic RADIUS instructions to add 2FA to SMA 1000 series VPN logins with automatic push requests.

Additional Troubleshooting

Need more help? Try searching our SonicWALL Knowledge Base articles or Community discussions. For further assistance, contact Support.