Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.
Duo's last day of support for installation and use of any Duo applications on end-of-life operating systems or operating systems that have reached the vendor's end-of-support date corresponds with the OS end-of-life or end-of-support date. We strongly urge you to upgrade to a supported version of your operating system before installing Duo Authentication Proxy.
The Duo Authentication Proxy Manager is not available for Linux or as a standalone application. It is bundled into the Duo Authentication Proxy 5.6.0 and later executable installer for Windows servers, in which the Authentication Proxy component is required for install and the Proxy Manager is an optional feature.
Once installed, the Proxy Manager application shows status information for and manages the locally installed Authentication Proxy service on the same Windows server.
It is not possible to install the Duo Authentication Proxy Manager on an existing server running an older version of the Duo Authentication Proxy without also upgrading that existing Authentication Proxy instance to the current version.
For example, if you have an existing Windows installation of Duo Authentication Proxy 5.5.0, when you upgrade that installation to version 5.6.0 you may choose to install the Proxy Manager, but you may not install the Proxy Manager feature from the 5.6.0 installer without also upgrading the 5.5.0 Authentication Proxy service to 5.6.0.
Open your authproxy.cfg
file in a text editor or the Proxy Manager application (available for Windows in version 5.6.0 and later).
Locate the [main]
section. If this section does not exist, then create it.
Add the setting debug=true
on a new line in the [main]
section (leave any other settings you might have in the [main]
section unchanged).
[main]
debug=true
The default locations for log file output are:
Operating System | Authentication Proxy Version |
Path |
---|---|---|
Windows | v5.0.0 and later | C:\Program Files\Duo Security Authentication Proxy\log |
Windows | v4.0.2 and earlier | C:\Program Files (x86)\Duo Security Authentication Proxy\log |
Linux | All | /opt/duoauthproxy/log |
On Windows, the installation path is set by the installer to:
Authentication Proxy Version |
Path |
---|---|
v5.0.0 and later | C:\Program Files\Duo Security Authentication Proxy |
v4.0.2 and earlier | C:\Program Files (x86)\Duo Security Authentication Proxy |
On Linux, the default installation path is /opt/duoauthproxy
, but the target directory be changed during installation.
Yes. You can specify multiple server sections in the configuration file. Each will have a different ikey
and skey
. If the server sections are the same type, append a number to the section name — e.g. [radius_server_auto2]
and use a distinct port number for each.
In addition, multiple applications can share the same client
section for primary authentication.
As of version 5.2.0, a single Authentication Proxy can run Active Directory and OpenLDAP syncs for the same Duo customer (each cloud
section is incremented with a number, and the api_host
is the same for every sync).
For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no port=
defined so it uses port 1812 by default, and Y uses port 18120.
[ad_client]
host=1.2.3.4 ; IP address of the Active Directory domain controller
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem
[radius_client]
host=5.6.7.8 ; IP address of the RADIUS server
secret=thisisaradiussecret
; Application X
[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=2.3.4.5 ; IP address of the appliance
radius_secret_1=thisisalsoaradiussecret
client=ad_client
; Application Y
[radius_server_auto2]
ikey=DIYYYYYYYYYYYYYYYY
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=4.5.6.7 ; IP address of the appliance
radius_secret_1=thisisalsoanotherradiussecret
client=radius_client
port=18120
; Application Z
[ldap_server_auto]
ikey=DIZZZZZZZZZZZZZZZZZZZ
skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
api_host=api-hostname.duosecurity.com
factors=auto
client=ad_client
failmode=secure
ssl_key_path=server.key
ssl_cert_path=server.crt
exempt_primary_bind=false
exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local
;AD sync
[cloud]
ikey=DIABCDEFGHIJKLMNOPQR
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
;OpenLDAP Sync
[cloud2]
ikey=DISTUVWXYZABCDEFGHIJ
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
service_account_username=duoservice
service_account_password=password1
No, password and secret encryption is a Windows-only feature.
Please refer to the upgrade instructions in the Duo Authentication Proxy Reference.
Please refer to the uninstall instructions in the Duo Authentication Proxy Reference.
If you receive a window that says "Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Authentication Proxy to a new version, make sure that all Windows Event Viewer windows (including the Event Viewer itself) are closed then click the Retry button.
The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg is preventing service start-up.
If you have Authentication Proxy 5.6.0 or later, we recommend using the Proxy Manager application for Windows to edit the authproxy.cfg contents.
The Duo Authentication Proxy supports MS-CHAPv2 authentication with this configuration:
To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.
Using MS-CHAPv2 restricts allowed factors to automatic push and phone call. This configuration does not support appending a Duo factor name or passcode to the password.
Duo monitors the health and availability of our cloud services. You can see the current status of Duo's service at https://status.duo.com/ and subscribe to email updates.
You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port 1812 (or whichever port you specified when configuring your RADIUS or LDAP authentication server).
Need more help? Try searching our Authentication Proxy Knowledge Base articles or Community discussions. For further assistance, contact Support.