Skip navigation
Documentation

Authentication Proxy - FAQ and Troubleshooting

Last Updated: May 18th, 2021

Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.

Does Duo support the Duo Authentication Proxy when installed on end-of-life operating systems?

Duo's last day of support for installation and use of any Duo applications on end-of-life operating systems or operating systems that have reached the vendor's end-of-support date corresponds with the OS end-of-life or end-of-support date. We strongly urge you to upgrade to a supported version of your operating system before installing Duo Authentication Proxy.

Can I use the Proxy Manager application on Linux, or as a standalone application, or to manage remote Authentication Proxy instances, or with Authentication Proxy versions before 5.6.0?

The Duo Authentication Proxy Manager is not available for Linux or as a standalone application. It is bundled into the Duo Authentication Proxy 5.6.0 and later executable installer for Windows servers, in which the Authentication Proxy component is required for install and the Proxy Manager is an optional feature.

Once installed, the Proxy Manager application shows status information for and manages the locally installed Authentication Proxy service on the same Windows server.

It is not possible to install the Duo Authentication Proxy Manager on an existing server running an older version of the Duo Authentication Proxy without also upgrading that existing Authentication Proxy instance to the current version.

For example, if you have an existing Windows installation of Duo Authentication Proxy 5.5.0, when you upgrade that installation to version 5.6.0 you may choose to install the Proxy Manager, but you may not install the Proxy Manager feature from the 5.6.0 installer without also upgrading the 5.5.0 Authentication Proxy service to 5.6.0.

How do I enable debug logging?

  1. Open your authproxy.cfg file in a text editor or the Proxy Manager application (available for Windows in version 5.6.0 and later).

  2. Locate the [main] section. If this section does not exist, then create it.

  3. Add the setting debug=true on a new line in the [main] section (leave any other settings you might have in the [main] section unchanged).

    [main]
     debug=true

The default locations for log file output are:

Operating System Authentication
Proxy Version
Path
Windows v5.0.0 and later C:\Program Files\Duo Security Authentication Proxy\log
Windows v4.0.2 and earlier C:\Program Files (x86)\Duo Security Authentication Proxy\log
Linux All /opt/duoauthproxy/log

What is the Authentication Proxy installation path?

On Windows, the installation path is set by the installer to:

Authentication
Proxy Version
Path
v5.0.0 and later C:\Program Files\Duo Security Authentication Proxy
v4.0.2 and earlier C:\Program Files (x86)\Duo Security Authentication Proxy

On Linux, the default installation path is /opt/duoauthproxy, but the target directory be changed during installation.

Can the Proxy be configured for multiple Duo applications?

Yes. You can specify multiple server sections in the configuration file. Each will have a different ikey and skey. If the server sections are the same type, append a number to the section name — e.g. [radius_server_auto2] and use a distinct port number for each.

In addition, multiple applications can share the same client section for primary authentication.

As of version 5.2.0, a single Authentication Proxy can run Active Directory and OpenLDAP syncs for the same Duo customer (each cloud section is incremented with a number, and the api_host is the same for every sync).

For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no port= defined so it uses port 1812 by default, and Y uses port 18120.

[ad_client]
host=1.2.3.4  ; IP address of the Active Directory domain controller
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem

[radius_client]
host=5.6.7.8  ; IP address of the RADIUS server
secret=thisisaradiussecret

; Application X
[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=2.3.4.5  ; IP address of the appliance
radius_secret_1=thisisalsoaradiussecret
client=ad_client

; Application Y
[radius_server_auto2]
ikey=DIYYYYYYYYYYYYYYYY
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=4.5.6.7  ; IP address of the appliance
radius_secret_1=thisisalsoanotherradiussecret
client=radius_client
port=18120

; Application Z
[ldap_server_auto]
ikey=DIZZZZZZZZZZZZZZZZZZZ
skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
api_host=api-hostname.duosecurity.com
factors=auto
client=ad_client
failmode=secure
ssl_key_path=server.key  
ssl_cert_path=server.crt
exempt_primary_bind=false
exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local

;AD sync
[cloud]
ikey=DIABCDEFGHIJKLMNOPQR
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com

;OpenLDAP Sync
[cloud2]
ikey=DISTUVWXYZABCDEFGHIJ
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
service_account_username=duoservice
service_account_password=password1

Is there a way to encrypt the password or secrets when running the Authentication Proxy on Linux?

No, password and secret encryption is a Windows-only feature.

How do I upgrade the Authentication Proxy?

Please refer to the upgrade instructions in the Duo Authentication Proxy Reference.

How do I uninstall the Authentication Proxy?

Please refer to the uninstall instructions in the Duo Authentication Proxy Reference.

I receive a pop-up error when upgrading the Duo Authentication Proxy on Windows.

If you receive a window that says "Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Authentication Proxy to a new version, make sure that all Windows Event Viewer windows (including the Event Viewer itself) are closed then click the Retry button.

I used the Windows Notepad application to edit authproxy.cfg and it looks correct, but the Authentication Proxy service won't start.

The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks so we recommend editing the config file with WordPad or a third-party text editor that can display UNIX encoding. Open your file in a text editor other than Notepad, verify that the configuration is correct, save the file, and try starting the Duo Security Authentication Proxy service again. If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg is preventing service start-up.

If you have Authentication Proxy 5.6.0 or later, we recommend using the Proxy Manager application for Windows to edit the authproxy.cfg contents.

Is MS-CHAPv2 supported?

The Duo Authentication Proxy supports MS-CHAPv2 authentication with this configuration:

To authenticate from the Duo Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Using MS-CHAPv2 restricts allowed factors to automatic push and phone call. This configuration does not support appending a Duo factor name or passcode to the password.

How can I monitor Duo to ensure that my RADIUS or LDAP device can authenticate users?

Duo monitors the health and availability of our cloud services. You can see the current status of Duo's service at https://status.duo.com/ and subscribe to email updates.

You can also monitor your Authentication Proxy server to ensure that the service is running and listening for incoming requests on port 1812 (or whichever port you specified when configuring your RADIUS or LDAP authentication server).

Additional Troubleshooting

Need more help? Try searching our Authentication Proxy Knowledge Base articles or Community discussions. For further assistance, contact Support.