Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.
Duo's last day of support for installation and use of any Duo applications on end-of-life operating systems or operating systems that have reached the vendor's end-of-support date corresponds with the OS end-of-life or end-of-support date. We strongly urge you to upgrade to a supported version of your operating system before installing Duo Authentication Proxy.
The Duo Authentication Proxy Manager is not available for Linux or as a standalone application. It is bundled into the Duo Authentication Proxy 5.6.0 and later executable installer for Windows servers, in which the Authentication Proxy component is required for install and the Proxy Manager is an optional feature.
Once installed, the Proxy Manager application shows status information for and manages the locally installed Authentication Proxy service on the same Windows server.
It is not possible to install the Duo Authentication Proxy Manager on an existing server running an older version of the Duo Authentication Proxy without also upgrading that existing Authentication Proxy instance to the current version.
For example, if you have an existing Windows installation of Duo Authentication Proxy 5.5.0, when you upgrade that installation to version 5.6.0 you may choose to install the Proxy Manager, but you may not install the Proxy Manager feature from the 5.6.0 installer without also upgrading the 5.5.0 Authentication Proxy service to 5.6.0.
authproxy.cfg file in a text editor or the Proxy Manager application (available for Windows in version 5.6.0 and later).
[main] section. If this section does not exist, then create it.
Add the setting
debug=true on a new line in the
[main] section (leave any other settings you might have in the
[main] section unchanged).
The default locations for log file output are:
|Windows||v5.0.0 and later||
|Windows||v4.0.2 and earlier||
On Windows, the installation path is set by the installer to:
|v5.0.0 and later||
|v4.0.2 and earlier||
On Linux, the default installation path is
/opt/duoauthproxy, but the target directory be changed during installation.
Yes. You can specify multiple server sections in the configuration file. Each will have a different
skey. If the server sections are the same type, append a number to the section name — e.g.
[radius_server_auto2] and use a distinct port number for each.
In addition, multiple applications can share the same
client section for primary authentication.
As of version 5.2.0, a single Authentication Proxy can run Active Directory and OpenLDAP syncs for the same Duo customer (each
cloud section is incremented with a number, and the
api_host is the same for every sync).
For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no
port= defined so it uses port 1812 by default, and Y uses port 18120.
[ad_client] host=188.8.131.52 ; IP address of the Active Directory domain controller service_account_username=duoservice service_account_password=password1 search_dn=DC=example,DC=com security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com transport=starttls ssl_ca_certs_file=conf\example_com_ca.pem [radius_client] host=184.108.40.206 ; IP address of the RADIUS server secret=thisisaradiussecret ; Application X [radius_server_auto] ikey=DIXXXXXXXXXXXXXXXXXX skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=api-hostname.duosecurity.com failmode=safe radius_ip_1=220.127.116.11 ; IP address of the appliance radius_secret_1=thisisalsoaradiussecret client=ad_client ; Application Y [radius_server_auto2] ikey=DIYYYYYYYYYYYYYYYY skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY api_host=api-hostname.duosecurity.com failmode=safe radius_ip_1=18.104.22.168 ; IP address of the appliance radius_secret_1=thisisalsoanotherradiussecret client=radius_client port=18120 ; Application Z [ldap_server_auto] ikey=DIZZZZZZZZZZZZZZZZZZZ skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ api_host=api-hostname.duosecurity.com factors=auto client=ad_client failmode=secure ssl_key_path=server.key ssl_cert_path=server.crt exempt_primary_bind=false exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local ;AD sync [cloud] ikey=DIABCDEFGHIJKLMNOPQR skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=api-hostname.duosecurity.com ;OpenLDAP Sync [cloud2] ikey=DISTUVWXYZABCDEFGHIJ skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=api-hostname.duosecurity.com service_account_username=duoservice service_account_password=password1
No, password and secret encryption is a Windows-only feature.
Please refer to the upgrade instructions in the Duo Authentication Proxy Reference.
Please refer to the uninstall instructions in the Duo Authentication Proxy Reference.
If you receive a window that says "Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Authentication Proxy to a new version, make sure that all Windows Event Viewer windows (including the Event Viewer itself) are closed then click the Retry button.
The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg is preventing service start-up.
If you have Authentication Proxy 5.6.0 or later, we recommend using the Proxy Manager application for Windows to edit the authproxy.cfg contents.
The Duo Authentication Proxy supports MS-CHAPv2 authentication with this configuration:
To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.
Using MS-CHAPv2 restricts allowed factors to automatic push and phone call. This configuration does not support appending a Duo factor name or passcode to the password.
Duo monitors the health and availability of our cloud services. You can see the current status of Duo's service at https://status.duo.com/ and subscribe to email updates.
You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port 1812 (or whichever port you specified when configuring your RADIUS or LDAP authentication server).