Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.
Yes, version 2.4.17 and later support Windows Server 2016.
Yes. You can specify multiple server sections in the configuration file. Each will have a different
skey. If the server sections are the same type, append a number to the section name — e.g.
[radius_server_auto2] and use a distinct port number for each.
In addition, multiple applications can share the same
client section for primary authentication.
For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no
port= defined so it uses port 1812 by default, and Y uses port 18120.
[ad_client] host=188.8.131.52 ; IP address of the Active Directory domain controller service_account_username=duoservice service_account_password=password1 search_dn=DC=example,DC=com security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com transport=starttls ssl_ca_certs_file=conf\example_com_ca.pem [radius_client] host=184.108.40.206 ; IP address of the RADIUS server secret=thisisaradiussecret ; Application X [radius_server_auto] ikey=DIXXXXXXXXXXXXXXXXXX skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=api-hostname.duosecurity.com failmode=safe radius_ip_1=220.127.116.11 ; IP address of the appliance radius_secret_1=thisisalsoaradiussecret client=ad_client ; Application Y [radius_server_auto2] ikey=DIYYYYYYYYYYYYYYYY skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY api_host=api-hostname.duosecurity.com failmode=safe radius_ip_1=18.104.22.168 ; IP address of the appliance radius_secret_1=thisisalsoanotherradiussecret client=radius_client port=18120 ; Application Z [ldap_server_auto] ikey=DIZZZZZZZZZZZZZZZZZZZ skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ api_host=api-hostname.duosecurity.com factors=auto client=ad_client failmode=secure ssl_key_path=server.key ssl_cert_path=server.crt exempt_primary_bind=false exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local
No, password and secret encryption is a Windows only feature.
Add the option
debug=true on a new line to the
[main] section of your authproxy.cfg file and restart the Authentication Proxy. If you do not already have a
[main] section in your config file then create one. It should look like this:
Uninstalling the Authentication Proxy deletes your authproxy.cfg file and all logs, so be sure to back them up if you need to keep them.
/opt/duoauthproxy/uninstall as root (or use sudo).
If you receive a window that says "Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Authentication Proxy to a new version, make sure that all Windows Event Viewer windows (including the Event Viewer itself) are closed then click the Retry button.
The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg is preventing service start-up.
The Duo Authentication Proxy supports MS-CHAPv2 authentication with this configuration:
To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.
Using MS-CHAPv2 restricts allowed factors to automatic push and phone call. This configuration does not support appending a Duo factor name or passcode to the password.
Duo monitors the health and availability of our cloud services. You can see the current status of Duo's service at https://status.duo.com/ and subscribe to email updates.
You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port 1812 (or whichever port you specified when configuring your RADIUS or LDAP authentication server).