Authentication Proxy - Release Notes

Download the current release from the Checksums and Downloads page.

Version 3.2.1 - December 2019

• Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

Version 3.2.0 - December 2019

• Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
• The primarygroup is now checked when determining if an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
• Added support for LDAPCompareRequest LDAP message when the proxy is acting as anLDAP server.
• Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
• When using the "Integrated" (SSPI) authentication type for Active Directory sync, service account credentials are ignored if provided in the [cloud] configuration.
• Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
• Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
• The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
• Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
• Bug fixes and enhancements to the connectivity tool.

Version 3.1.1 - September 2019

• Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.

Version 3.1.0 - July 2019

• New delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
• Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
• The authproxy_support tool reports the full path to the generated output file.
• Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
• Allows mixed-case values for the prompt, type, and failmode configuration settings.
• Logging of RADIUS and LDAP messages now contain the username.

Version 3.0.0 - March 2019

• Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
• Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
• Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
• Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
• Fixed a bug that caused errors when clients connected and disconnected very quickly.
• Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

• Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
• Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
• Improved logging during Active Directory or OpenLDAP directory synchronization.
• Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

• Colorized the output of the connectivity tool when run interactively for better readability.
• Improvements and additions to the connectivity tool configuration and validation checks, including validation of dependencies across sections.
• The connectivity tool now uses your configured http_proxy_host to test connections.
• Improved logging for security and debugging purposes.

Version 2.12.1 - January 2019

• Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

• Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
• OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
• Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
• The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
• FIPS mode for Windows and Linux.
• Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

• Added support for channel binding validation during LDAP authentication over SSL\TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
• The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
• Corrected an installation issue on Linux systems due to the PYTHON environment variable.
• Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

• Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

• Added a new flag to authproxy_passwd that allows you to encrypt all the passwords and secrets in the configuration at once.
• Fix bug in Authentication Proxy Connectivity Tool that caused us to report an incorrect time drift.
• Added 2fa factor used to the SIEM digestible log output (authevents.log).
• Simplified example content in the authproxy.cfg file shown at first use.

Version 2.9.0 - May 2018

• Introduced new connectivity troubleshooting tool
• Python 2.7 now bundled with Authentication Proxy install
• The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
• Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well

Version 2.8.1 - March 2018

• Corrected issue with EAP and TLS 1.2 for NetMotion EAP clients
• Released for Windows only

Version 2.7.0 - December 2017

• Supports OpenSSL 1.1.0
• New LDAP server option: allow_unlimited_binds
• Additional bug fixes

Version 2.6.0 - October 2017

This is the minimum required version for OpenLDAP sync and the minimum recommended version for AD sync.

• Password authentication for OpenLDAP and AD sync
• Fixed bug that caused an authentication event to be logged twice in authevents.log
• Additional bug fixes

Version 2.5.4 - August 2017

• SIEM-consumable authentication event logging with new configuration option log_auth_events
• Corrected ad_client host failover behavior when using ldap_server_auto
• Additional bug fixes

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

• Linux logging fix
• Bug fixes

Version 2.4.20 - February 2017

• Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

• LDAPS bug fixes

Version 2.4.18 - December 2016

• Ease-of-use improvements to authproxy.cfg file
• Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
• RADIUS and LDAP bug fixes
• Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

• Enhanced authentication proxy configuration reporting to Duo
• Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

• Fixed handling of missing LDAP passwords (DUO-PSA-2016-001)

Version 2.4.15 - May 2016

• Debug logging to file obscures password information
• Improved handling of NTLM and UPN Active Directory authentication
• Improved handling of mixed format line endings in the config file
• Checks config file for duplicate sections at proxy start

Version 2.4.14.1 - February 2016

• Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

• New LDAP server option: allow_searches_after_bind
• Updated EULA

Version 2.4.13 - November 2015

• Added support for proxying HTTPS traffic from Duo client applications: http_proxy

Version 2.4.12 - August 2015

• Updated to OpenSSL 1.0.1p
• Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

• Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

• Updated to OpenSSL 1.0.1l
• LDAP enhancements and improved logging
• Fix proxy startup on Ubuntu LTS
• New RADIUS exemption option: exempt_username_1
• RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

This is the minimum required version for AD sync.

• Improved logging
• AD Sync improvements

Version 2.4.8 - November 2014

• AD Sync connection detection

Version 2.4.7 - November 2014

• Fixes for Linux hosts

Version 2.4.6 - October 2014

• Updated to OpenSSL 1.0.1j
• AD Sync performance enhancement

Version 2.4.5 - September 2014

• AD domain discovery feature in ad_client: domain_discovery
• AD Sync improvements

Version 2.4.4 - August 2014

• AD Sync improvements
• Fix LDAP filter extensions

Version 2.4.3 - July 2014

• Update ad_client time out logic
• RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

This is the minimum supported version.

• Updated to OpenSSL 1.0.1h
• TLS v1.2 support
• HTTPS proxy support for AD Sync
• Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility