Skip navigation
Documentation

Authentication Proxy - FAQ and Troubleshooting

Last Updated: January 19th, 2024

Answers to frequently asked questions and troubleshooting tips for Duo Security's Authentication Proxy.

Does Duo support the Duo Authentication Proxy when installed on end-of-life operating systems?

Duo's last day of support for installation and use of any Duo applications on end-of-life operating systems or operating systems that have reached the vendor's end-of-support date corresponds with the OS end-of-life or end-of-support date. We strongly urge you to upgrade to a supported version of your operating system before installing Duo Authentication Proxy.

Can I use the Proxy Manager application on Linux, or as a standalone application, or to manage remote Authentication Proxy instances, or with Authentication Proxy versions before 5.6.0?

The Duo Authentication Proxy Manager is not available for Linux or as a standalone application. It is bundled into the Duo Authentication Proxy 5.6.0 and later executable installer for Windows servers, in which the Authentication Proxy component is required for install and the Proxy Manager is an optional feature.

Once installed, the Proxy Manager application shows status information for and manages the locally installed Authentication Proxy service on the same Windows server.

It is not possible to install the Duo Authentication Proxy Manager on an existing server running an older version of the Duo Authentication Proxy without also upgrading that existing Authentication Proxy instance to the current version.

For example, if you have an existing Windows installation of Duo Authentication Proxy 5.5.0, when you upgrade that installation to version 5.6.0 you may choose to install the Proxy Manager, but you may not install the Proxy Manager feature from the 5.6.0 installer without also upgrading the 5.5.0 Authentication Proxy service to 5.6.0.

How do I enable debug logging?

If you are collecting logging for a Duo Support Engineering request, please use the Duo Authentication Proxy Support Tool to capture additional relevant troubleshooting information.

To enable debugging logs, add the option debug=true on a new line to the main section of your authproxy.cfg file and restart the Authentication Proxy. Notepad may not correctly show line breaks, so we recommend editing the config file with the Duo Authentication Proxy Manager application (available with v5.6.0 and later), or with WordPad or a third-party text editor that can display UNIX encoding.

If you do not already have a [main] section in your config file, then create one at the top of the config file. Note that section placement in the config file has no effect on proxy function, though we recommend placing it at the top of the file for easy reference. It should look like this:

[main]
debug=true

The default locations for log file output are:

Operating System Authentication
Proxy Version
Path
Windows v5.0.0 and later C:\Program Files\Duo Security Authentication Proxy\log
Windows v4.0.2 and earlier C:\Program Files (x86)\Duo Security Authentication Proxy\log
Linux All /opt/duoauthproxy/log

What is the Authentication Proxy installation path?

On Windows, the installation path is set by the installer to:

Authentication
Proxy Version
Path
v5.0.0 and later C:\Program Files\Duo Security Authentication Proxy
v4.0.2 and earlier C:\Program Files (x86)\Duo Security Authentication Proxy

On Linux, the default installation path is /opt/duoauthproxy, but the target directory be changed during installation.

Can the Proxy be configured for multiple Duo applications?

Yes. You can specify multiple server sections in the configuration file. Each will have a different ikey and skey. If the server sections are the same type, append a number to the section name — e.g. [radius_server_auto2] and use a distinct port number for each.

In addition, multiple applications can share the same client section for primary authentication.

As of version 5.2.0, a single Authentication Proxy can run Active Directory and OpenLDAP syncs for the same Duo customer (each cloud section is incremented with a number, and the api_host is the same for every sync).

For example, here is a config file that powers three applications. Two of them (X and Z) use Active Directory for primary authentication, while the other (Y) uses RADIUS. The two RADIUS applications use different ports; X has no port= defined so it uses port 1812 by default, and Y uses port 18120.

[ad_client]
host=1.2.3.4  ; IP address of the Active Directory domain controller
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem

[radius_client]
host=5.6.7.8  ; IP address of the RADIUS server
secret=thisisaradiussecret

; Application X
[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=2.3.4.5  ; IP address of the appliance
radius_secret_1=thisisalsoaradiussecret
client=ad_client

; Application Y
[radius_server_auto2]
ikey=DIYYYYYYYYYYYYYYYY
skey=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=4.5.6.7  ; IP address of the appliance
radius_secret_1=thisisalsoanotherradiussecret
client=radius_client
port=18120

; Application Z
[ldap_server_auto]
ikey=DIZZZZZZZZZZZZZZZZZZZ
skey=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
api_host=api-hostname.duosecurity.com
factors=auto
client=ad_client
failmode=secure
ssl_key_path=server.key  
ssl_cert_path=server.crt
exempt_primary_bind=false
exempt_ou_1=CN=ldapuser,OU=Service Accounts,DC=domain,DC=local

;AD sync
[cloud]
ikey=DIABCDEFGHIJKLMNOPQR
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com

;OpenLDAP Sync
[cloud2]
ikey=DISTUVWXYZABCDEFGHIJ
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
service_account_username=duoservice
service_account_password=password1

Is there a way to encrypt the password or secrets when running the Authentication Proxy on Linux?

No, password and secret encryption is a Windows-only feature. In the absence of a built-in tool for encrypting the secret and password strings, refer to How can I protect the configuration file of the Duo Authentication Proxy on Linux? for recommendations on protecting the Duo Authentication Proxy configuration file on Linux.

How do I upgrade the Authentication Proxy?

Please refer to the upgrade instructions in the Duo Authentication Proxy Reference.

How do I uninstall the Authentication Proxy?

Please refer to the uninstall instructions in the Duo Authentication Proxy Reference.

I receive a pop-up error when upgrading the Duo Authentication Proxy on Windows.

You may see “Error opening file for writing: path-to-authproxy\Duo Security Authentication Proxy\bin\servicemanager.pyd" when upgrading the Duo Authentication Proxy to a new version.

This error occurs because the Windows OS is holding a file lock on the servicemanager.pyd file. This is because some other program or process on the Windows host has a lock on the file so that not even an administrator can delete it. This error has several possible causes and resolutions:

  • A local user or another user has an RDP or local console session running with an Event Viewer window open during initial installation or upgrading of the Duo Authentication Proxy. To resolve this, close the event viewer or terminate the other remote session and re-attempt the install/upgrade.
  • AV programs may cause an issue. You may be able to use process monitor to detect which programs are using the file and close them and re-attempt the install/upgrade.
  • While Windows won't let administrators delete the servicemanager.pyd file, it does allow administrators to rename it. Simply renaming the servicemanager.pyd file will allow the install to proceed.
  • As a last resort, a reboot will release the file lock and allow the install/upgrade process to proceed without any further errors

I used the Windows Notepad application to edit authproxy.cfg and it looks correct, but the Authentication Proxy service won't start.

Please also note that the Authentication Proxy may fail to start if the configuration was edited with Notepad. The sample authproxy.cfg file included with the Authentication Proxy install contains UNIX line endings. Notepad may not correctly show line-breaks, so we recommend editing the config file with the Duo Authentication Proxy Manager (included with Authentication Proxy for Windows 5.6.0 or later), WordPad, Notepad++, or another third-party text editor that can display UNIX encoding as follows:

  1. Open your authproxy.cfg file in a text-editor other than Notepad.
  2. Verify that the configuration is correct and save the file.
  3. Try starting the Duo Security Authentication Proxy service again.

If it still fails to start, make sure to check the Application log in the Windows Event Viewer for an error message from the source "DuoAuthProxy". The error traceback usually indicates which line of the authproxy.cfg file is preventing service start-up.

Is MS-CHAPv2 supported?

The Duo Authentication Proxy supports MS-CHAPv2, EAP-MSCHAPv2, and PEAP/EAP-MSCHAPv2 authentication with this configuration:

EAP-MSCHAPv2 and PEAP/EAP-MSCHAPv2 authentication is only supported for Duo Authentication Proxy 5.2.0 and later.

To authenticate from the Authentication Proxy to Active Directory as a RADIUS client, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.

Refer to the Authentication Proxy Reference Guide for more information on these configurations.

Additional considerations:

  • Using append mode (concatenation) to specify a different factor is not supported when using MS-CHAPv2 or EAP-MSCHAPv2 authentication.
    • Attempting to use append mode with MS-CHAPv2 may cause the following Duo Authentication Proxy error message: "Allow concat is configured, but is not supported with MS-CHAPv2 authentication".
    • Using append mode with EAP-MSCHAPv2 or PEAP/EAP-MSCHAPv2 will cause the following error message: "Primary credentials rejected"
  • Factor passcode is not supported for the factors configuration item.
  • If an unsupported authentication protocol is used (such as CHAP), it can cause the Duo Authentication Proxy error message "Missing or improperly-formatted password". To resolve this error, make sure your application is using a supported protocol](duo.com/s/article/5688), such as MS-CHAPv2. Refer to What RADIUS authentication protocol variants does the Duo Authentication Proxy support? for more information.
  • In-line password resets are supported for MS-CHAPv2 only. Refer to Does the Duo Authentication Proxy support in-line password resets? for more information.

How can I monitor Duo to ensure that my RADIUS or LDAP device can authenticate users?

Via the Status Page

Duo monitors the health and availability of our cloud service and reports any issues to our status page -- along with detailed updates as we resolve issues at https://status.duo.com/. You can subscribe to updates via email, SMS, RSS, and more.

Via the Auth API

You can also actively monitor the Duo cloud services using the Auth API.

To do this, write a script to call one or a combination of the following functions:

/ping : https://duo.com/docs/authapi#/ping

A basic high-level check that verifies the Duo service is contactable and running.

/check : https://duo.com/docs/authapi#/check

Goes beyond /ping as it checks against your account details to verify the integration and secret keys.

Then, configure your monitoring system to trigger your script and verify the response. It is best practice to limit these calls to one per hour. If a shorter time period is absolutely necessary, please contact Duo Support.

From this you are able to confirm:

  • Communication with the Duo cloud service
  • The Duo cloud service is up and running

Via the Duo Authentication Proxy

You can also actively monitor the Duo cloud service using the Duo Authentication Proxy. The best practice for achieving this is to set up a test user account to send a request to the Authentication Proxy and receive a success login in return.

To do this, first configure the Authentication Proxy with a radius_server_auto section.

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-hostname.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret
client=ad_client

Then, configure your monitoring system to send an authentication request to the Authentication Proxy. Finally, set the test user account to "Bypass" in the Duo Admin Panel. The test user account would pass through the Authentication Proxy and be verified by the identity store (AD or RADIUS server). Note that the ad_client configuration in the example above would use Active Directory as the identity store. It would then hit the Duo cloud service, and at that point, the bypass would be sent back.

From this you are able to confirm:

  • The Duo cloud service is up and running
  • Communication with the Authentication Proxy
  • The Authentication Proxy service is running
  • Communication between the Authentication Proxy and the identity store
  • Your identity store is up and running
  • Communication between the Authentication Proxy and the Duo Cloud services

Additional Troubleshooting

Need more help? Try searching our Authentication Proxy Knowledge Base articles or Community discussions. For further assistance, contact Support.