Skip navigation
Documentation

Authentication Proxy - FAQ and Troubleshooting

Last Updated: May 1st, 2019

Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.

Does the Proxy run on Windows Server 2016?

Yes, version 2.4.17 and later support Windows Server 2016.

Can the Proxy be used to power multiple Duo applications?

Yes. You can specify multiple server sections in the configuration file. Each will have a different ikey and skey. If the server sections are the same type, append a number to the section name — e.g. [radius_server_auto2] and use a distinct port number for each.

In addition, multiple applications can share the same client section for primary authentication.

For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no port= defined so it uses port 1812 by default, and Y uses port 18120.

[ad_client]
host=1.2.3.4  ; IP address of the Active Directory domain controller
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem

[radius_client]
host=5.6.7.8  ; IP address of the RADIUS server
secret=thisisaradiussecret

; Application X
[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=2.3.4.5  ; IP address of the appliance
radius_secret_1=thisisalsoaradiussecret
client=ad_client

; Application Y
[radius_server_auto2]
ikey=DIYYYYYYYYYYYYYYYY
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=4.5.6.7  ; IP address of the appliance
radius_secret_1=thisisalsoanotherradiussecret
client=radius_client
port=18120

; Application Z
[ldap_server_auto]
ikey=DIZZZZZZZZZZZZZZZZZZZ
skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
api_host=api-hostname.duosecurity.com
factors=auto
client=ad_client
failmode=secure
ssl_key_path=server.key  
ssl_cert_path=server.crt
exempt_primary_bind=false
exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local

Is there a way to encrypt the password or secrets when running the Authentication Proxy on Linux?

No, password and secret encryption is a Windows only feature.

How do I enable debugging?

Add the option debug=true on a new line to the [main] section of your authproxy.cfg file and restart the Authentication Proxy. If you do not already have a [main] section in your config file then create one. It should look like this:

[main]
debug=true

How do I uninstall the Authentication Proxy?

Uninstalling the Authentication Proxy deletes your authproxy.cfg file and all logs, so be sure to back them up if you need to keep them.

  1. Go to Control Panel > Programs and Features.
  2. Select "Duo Security Authentication Proxy version" from the list of installed programs and click Uninstall/Change.
  3. Follow the prompts to remove the Authentication Proxy from your system.

Type /opt/duoauthproxy/uninstall as root (or use sudo).

I receive a pop-up error when upgrading the Duo Authentication Proxy on Windows.

If you receive a window that says "Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Authentication Proxy to a new version, make sure that all Windows Event Viewer windows (including the Event Viewer itself) are closed then click the Retry button.

I used the Windows Notepad application to edit authproxy.cfg and it looks correct, but the Authentication Proxy service won't start.

The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg is preventing service start-up.

Is MS-CHAPv2 supported?

The Duo Authentication Proxy supports MS-CHAPv2 authentication with this configuration:

To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Using MS-CHAPv2 restricts allowed factors to automatic push and phone call. This configuration does not support appending a Duo factor name or passcode to the password.

How can I monitor Duo to ensure that my RADIUS or LDAP device can authenticate users?

Duo monitors the health and availability of our cloud services. You can see the current status of Duo's service at https://status.duo.com/ and subscribe to email updates.

You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port 1812 (or whichever port you specified when configuring your RADIUS or LDAP authentication server).

Additional Troubleshooting

Need more help? Try searching our Authentication Proxy Knowledge Base articles or Community discussions. For further assistance, contact Support.