Duo Two-Factor Authentication for SonicWALL SRA or SMA 100 Series SSL VPN - FAQ

Is there a configuration that lets Mobile Connect or NetExtender clients use an interactive Duo prompt?

Yes, the Duo Single Sign-On for SonicWall SMA 200 Series configuration will open a browser window for interactive SSO login and Duo authentication.

Will the Duo inline RADIUS web prompt get updated to Universal Prompt?

No, RADIUS iframe integrations that show the Duo traditional prompt today reached their end of support in March 2024. Migrate your RADIUS iframe SMA device configuration to Duo Single Sign-On for SonicWall SMA 200 Series if you want to offer your VPN users the Duo Universal Prompt experience, or change your RADIUS configuration to a RADIUS configuration that will remain supported, like RADIUS with automatic Duo Push. Learn more about Duo Universal Prompt and the Duo traditional prompt end of life.

Does the Duo inline RADIUS web prompt work with SMA devices?

Please note that the inline Duo RADIUS web prompt reached its end of support on March 30, 2024. These configurations should be migrated to Duo Single Sign-On for SonicWall SMA 200 Series or Duo Two-Factor Authentication for SonicWall SRA or SMA with RADIUS Auto Push.

The SonicWall Secure Mobile Access (SMA) SMA 100 series includes the SMA 200, SMA 400, and SMA 500v. Support for the RADIUS inline Duo Prompt on SMA 100 series devices differed by firmware version:

• 10.0.0.0-16 and later: Supported. Users see the interactive Duo Prompt during browser login when the SSL VPN is configured to use radius_server_iframe.

  • "Contemporary mode" supports the Duo interactive prompt as of 10.2.1.0-17.
  • SonicWall discontinued SMA v10.0 support in October 2020 (update to 10.1.x or 10.2.x). SonicWall Product Lifecycles

• 9.0.0.2-13 and later: Supported. Users see the interactive Duo Prompt during browser login when the SSL VPN is configured to use radius_server_iframe.

  • SonicWall has issued a zero-day vulnerability alert for firmware versions below 9.0.0.10.

• 9.0.0.0 to 9.0.0.1-11: Unsupported. To integrate with Duo on v9.0.x firmware versions before 9.0.0.2-13, you will need to use the radius_server_auto configuration.

• 8.6.0.0 to 8.6.0.9-19: Unsupported. To integrate with Duo on 8.6, you will need to use the radius_server_auto configuration (note that v8.x firmwares are end-of-life per SonicWall).

SRA devices which have reached end of life, which includes SRA 1600, SRA 4600, SRA EX6000, and SRA EX7000, are excluded.

Does Duo support the SonicWall SMA 1000 Series?

The SonicWALL Secure Mobile Access (SMA) support for the inline Duo Prompt (radius_server_iframe configuration) differs by version:

• 9.0.0.2-13 and later: Supported. Users see the interactive Duo Prompt during browser login when the SSL VPN is configured to use radius_server_iframe.
• 9.0.0.0 to 9.0.0.1-11: Unsupported. To integrate with Duo on v9.0.x firmware versions before 9.0.0.2-13, use radius_server_auto instead of radius_server_iframe in your Duo Authentication Proxy configuration file.
• 8.6.0.0 to 8.6.0.9-19: Unsupported. To integrate with Duo on 8.6, use radius_server_auto instead of radius_server_iframe in your Duo Authentication Proxy configuration file.

SMA 8.6+ is a feature release for SonicWall SMA 400, SMA 200, SRA 4600, SRA 1600, and SMA 500v.

Refer to the Authentication Proxy Reference Guide for more information on configuration options.

Note: The iframe-based traditional Duo Prompt in SonicWall SRA or SMA RADIUS configurations reached its end of support on March 30, 2024. Customers must migrate to a supported Duo Single Sign-On application with Universal Prompt or a RADIUS configuration without the iframe for continued support. Refer to Duo Two-Factor Authentication for SonicWall SRA or SMA 100 Series SSL VPN with RADIUS and Duo Prompt for more information.

Additional Troubleshooting

Need more help? Try searching our SonicWALL Knowledge Base articles or Community discussions. For further assistance, contact Support.