Release notes for recent Authentication Proxy versions.
Download the current release from the Checksums and Downloads page.
We encourage all customers to regularly upgrade to the latest Duo Authentication Proxy release to receive feature and security updates.
Version 5.7.3 - August 30, 2022
- Fixed a bug where the Authentication Proxy incorrectly included a reply message in EAP packets.
Version 5.7.2 - June 23, 2022
- Fixed an issue where
make would not build the Authentication Proxy if
TERM_PROGRAM was set on Linux.
- Removed extraneous dependencies.
Version 5.7.1 - May 26, 2022
Version 5.7.0 - May 9, 2022
- Twisted has been updated to include the fix for CVE-2022-21712.
- The Windows Authentication Proxy binaries are now all signed.
LimitNOFILE option to the Linux Authentication Proxy systemd init script to maximize authentication performance.
- Fixed traceback when the last
[cloud] section is invalid.
Version 5.6.1 - March 28, 2022
- OpenSSL has been updated to include the fix for CVE-2022-0778.
- The Authentication Proxy Manager now correctly recognizes error return codes for unparseable configuration files.
- The Authentication Proxy Manager now correctly recognizes
api_host entries with multiple hyphens as valid.
Version 5.6.0 - February 14, 2022
- The Windows Authentication Proxy now ships with the Duo Authentication Proxy Manager. This tool allows for configuring the Authentication Proxy, validating the configuration, and starting or stopping the Authentication Proxy service.
authproxy_connectivity_tool now exits with code
2 if there were connectivity issues.
- The Linux Authentication Proxy installer now prompts the user to ask if the SELinux module should be installed if run interactively, and accepts
--enable-selinux=yes|no at the command line.
- Fixed a bug causing the SELinux module installation to not work with custom installation directories.
Version 5.5.1 - January 19, 2022
- Introduced initial support for multiple Active Directory authentication sources with Duo Single Sign-On.
- An invalid
[cloud] section in
authproxy.cfg no longer interferes with other valid
[cloud] configuration sections.
- Fixes an issue that caused the Authentication Proxy not to reconnect to Duo automatically for SSO and Directory Sync after a period of degraded network connectivity.
- The Linux installer correctly expands tilde characters in the install path.
- Mutes excessive tracebacks caused by rapidly opening and then closing incoming connections to
ldap_server_auto configured with
- The Linux installation script creates the necessary SELinux configuration (if appropriate) to allow start of the Authentication Proxy with systemd.
Version 5.5.0 - October 13, 2021
- Adds support for Duo Single Sign-On expired password resets.
- Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2x to address the NULL pointer dereference issue described in CVE-2020-1971.
- Verified on Windows Server 2022.
Version 5.4.1 - September 15, 2021
- Fixes a spurious "no service account username is provided" warning from the connectivity tool when using Windows integrated authentication (SSPI).
- Now reports the error code during SSPI negotiation failure.
- Strips leading or trailing whitespace from RADIUS usernames during
- Restricts access to the Authentication Proxy
bin folder on Windows at installation.
- Upgrades a third-party library to address memory leaks during authentications.
Version 5.4.0 - July 22, 2021
- Now suppresses system restarts by the Microsoft Visual C++ Redistributable installer during Authentication Proxy installation on Windows.
- Improves the error messaging when user
msds-principalname lookups fail.
- The configuration checking performed by the connectivity tool now reports common misconfigurations for service account and authentication type combinations.
- Improves the log messaging when the Authentication Proxy attempts to determine use of password and factor concatenation.
- Improves the error messaging when LDAP authentications fail because the service account bind failed.
- The SIEM logging output to
authevents.log now includes the client section name whenever possible.
- The Windows-only password encryption utility now also decrypts previously-encrypted passwords in a configuration file.
Version 5.3.1 - July 7, 2021
- Corrects an issue running the connectivity tool on Windows while the Authentication Proxy itself was running.
- Fixes a condition that caused incorrectly-colored connectivity tool output.
- Updates the Authentication Proxy's Windows service error exit code from
Version 5.3.0 - April 26, 2021
- Timestamps in
authproxy.log output now show milliseconds.
authproxy_passwd tool now preserves comments when encrypting all passwords and secrets in the
authproxy.cfg file with the
security_group_dn is defined in an
ad_client section, the connectivity tool confirms that an LDAP search for the group distinguished name returns a result.
- Fixes the connectivity tool's error detection for mismatched TLS certificate keypairs.
- When upgrading an existing install, the Authentication Proxy installer runs the connectivity tool to validate your configuration for correctness.
Version 5.2.2 - April 12, 2021
- Corrects logging message when SSL certificate and key did not match.
- RADIUS timeouts logging reports correct information about what servers have been contacted.
- The connectivity tool warning about RADIUS server availability is now displayed in yellow text.
- Adds a default timeout for ping calls during proxy connection issues to Duo.
- Suppresses error messages about quickly-terminated LDAP connections.
Version 5.2.1 - March 25, 2021
- Addresses an elevation of privilege vulnerability in the Duo Authentication Proxy for Windows installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2021-1492). The vulnerability was limited to the Windows installer only, and did not affect the application once installed. This vulnerability does not apply to any version of Duo Authentication Proxy for Linux.
Version 5.2.0 - February 2, 2021
- Adds support for multiple
[cloud] sections, which enables a single Duo Authentication Proxy to service more than one Active Directory or OpenLDAP directory sync. Learn more.
- The connectivity tool now displays warnings in yellow.
- Improved error messaging when a
User-Password attribute is missing in challenge response for
- Corrected an issue preventing silent install on Windows.
- LDAP channel binding no longer fails when the server's certificate uses the RSASSA-PSS signature algorithm.
- Fixed a bug causing authentications to fail when using SMS as a second factor with
- Fixed a bug where local versions of Python packages interfered with Duo Authentication install on Linux.
- The connectivity tool now utilizes the configured HTTP proxy.
- Adds support for additional EAP and PEAP authentication methods like EAP-MSCHAPv2 in
Version 5.1.1 - November 23, 2020
- Fixed a bug causing MPPE key decryption to fail when MPPE was used with an
- Addresses an issue in prior v5.x.x releases where the running proxy stops responding to incoming RADIUS requests.
- Added the Microsoft Visual C++ 2015-2019 Redistributable to the Windows Authentication proxy installer to ensure all required DLLs are present on the target system.
Version 5.1.0 - November 4, 2020
- Adds the
authproxyctl executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window.
- The Windows installer now starts the Duo Authentication Proxy after a version upgrade if the service was running when the upgrade started.
- Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2w to address CVE-2020-1968.
- The connectivity tool now checks for newer versions of the Authentication Proxy.
- The default
authproxy.cfg file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad.
- Improved error messaging when unable to establish an SSL connection when using FIPS mode.
- Improved error messaging when a StartTLS connection can not be established for Directory Sync or Duo Single Sign-On (SSO).
- Improved error messaging for Directory Sync and Duo SSO when attempting to use the "Integrated" authentication type with a Linux Authentication Proxy.
minimum_tls_version option now accepts mixed-case values.
- The connectivity tool no longer incorrectly reports an error when
pass_through_attr_names is used with
- Corrected an issue where SSL verification was disabled if an empty or invalid file was provided for ssl_ca_certs_file.
- An exception no longer occurs if a non-string username attribute is used with Duo SSO.
- RADIUS authentications no longer fail if some MPPE attributes are present but the Send Key and Receive Key are missing.
- Fixed a bug causing the Authentication Proxy to parse values in the configuration file as multi-line values if they were accidentally indented.
- Corrected an issue where installed files did not have the correct permissions on Linux.
Version 5.0.2 - September 28, 2020
- No longer adds
Message-Authenticator to RADIUS packets where it was not already present.
- Fixed an issue preventing Authentication Proxy startup when using the
pass_through_attr_names RADIUS setting. Note that the
pass_through_all options are only valid when used with
radius_client; specifying these parameters for RADIUS server sections that make use of
duo_only_client prevents the Authentication Proxy service from starting.
Version 5.0.1 - September 3, 2020
- Corrects an issue causing incorrect
Message-Authenticator values when configured as a RADIUS pass-through attribute.
Version 5.0.0 - August 17, 2020
The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.
The installation file path has changed accordingly, from
C:\Program Files (x86)\Duo Security Authentication Proxy in previous versions to
C:\Program Files\Duo Security Authentication Proxy. If your
authproxy.cfg file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.
This change has no effect on Authentication Proxy releases for Linux.
Primary LDAP authentication with
[ad_client] now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the
Primary LDAP authentication with
[ad_client] now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for the
sspi authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details.
Extends LDAP channel binding support to NTLMv2 authentication.
LDAP anonymous bind identification now conforms with LDAP RFC 4513.
Now supports LDAP binds using
samAccountName and Common Name
CN style usernames, including for
exempt_ou username to Distinguished Name
The connectivity tool issues a warning when the
[ad_client] authentication type is
sspi (Windows integrated) and LDAP account username/password are also provided.
Now consistently respects the order of the factors specified via the
factors optional setting for
RADIUS authentication now handles MPPE responses properly per RFC 2548.
Message-Authenticator verification succeeds when a packet includes multiple non-adjacent attributes of the same type.
Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.
Version 4.0.2 - July 22, 2020
- Updated the embedded Python version to 3.8.4, to address Python CVE-2020-1552. We urge that customers running v4.0.0 or v4.0.1 upgrade to this version.
- This is the last 32-bit Authentication Proxy release.
Version 4.0.1 - June 10, 2020
- Fixed a bug where certain vendor-specific RADIUS attributes were not passed through correctly.
- The Authentication Proxy will not attempt to constantly connect to the Duo Single Sign-on service with expired credentials.
- Fixed a bug with binary LDAP attributes that caused certain authentications to fail.
- Fixed a bug that caused the Windows
authproxy_passwd tool to fail for secrets containing the
- The error output when the Authentication Proxy cannot start TLS encryption due to missing configuration is clearer.
Version 4.0.0 - May 11, 2020
- The Authentication Proxy is now packaged with and runs on Python 3.
- When installed on Windows, directory permissions restrict access to the
conf directory to the built-in Administrators group.
- Improved directory sync performance when syncing large groups from Active Directory.
- Fixed a bug causing RADIUS authentications to fail for usernames with non-ASCII characters.
- Duo application
ikey values are now properly captured in the authentication log during RADIUS authentication.
Version 3.2.4 - March 17, 2020
Version 3.2.3 - March 10, 2020
- RADIUS Challenge responses now correctly include
Proxy-State attribute values.
Version 3.2.2 - February 25, 2020
- Fixed a bug causing
SSPI authentications to fail in rare cases.
- Support for Windows Server 2008 R2 ended in January 2020. The minimum supported Windows version is Windows Server 2012. Future releases of the Authentication Proxy may not function on unsupported operating systems.
Version 3.2.1 - December 2019
- Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.
Version 3.2.0 - December 2019
- Fixed a bug causing
prompt_format configuration values to be case-sensitive.
primarygroup is now checked when determining if an AD/LDAP (
ad_client) user is a member of the configured
- Added support for
LDAPCompareRequest LDAP message when the proxy is acting as an LDAP server.
- Support additional username formats for
exempt_ou matching when the proxy is acting as an LDAP server.
- Ignores service account credentials when using the "Integrated" (SSPI) authentication type for the Authentication Proxy's connection to your AD Authentication source to support Duo Single Sign-On. If provided in the
[cloud] config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI.
- Events in the SIEM-consumable
authevents.log now contain the authentication proxy hostname and the
IKEY (Integration key) of the protected application.
- Fixed case where logging incorrectly indicated
failmode was invoked when an invalid
SKEY (Secret key) was used.
- The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
- Proxy startup is prevented if an
ldap_server_auto section has no associated
- Bug fixes and enhancements to the connectivity tool.
Version 3.1.1 - September 2019
- Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.
Version 3.1.0 - July 2019
delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
- Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
authproxy_support tool reports the full path to the generated output file.
- Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
- Allows mixed-case values for the
failmode configuration settings.
- Logging of RADIUS and LDAP messages now contain the username.
Version 3.0.0 - March 2019
- Now defaults to TLS 1.2 when acting as an SSL server (
[ldap_server_auto]). Opt into a lower TLS version with the
minimum_tls_version configuration option.
- Now creates a new user (default name
duo_authproxy_svc) during installation to run the proxy server on Linux.
- Now creates a new group (default name
duo_authproxy_grp) during installation on Linux. This group owns the
/opt/duoauthproxy/log folder and all of its files.
- Fixed a bug that prevent the
authproxy_support tool from being run from in any directory.
- Fixed a bug that caused errors when clients connected and disconnected very quickly.
- Fixed small bugs in the connectivity tool configuration validation.
Version 2.14.0 - February 2019
- Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
- Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
- Improved logging during Active Directory or OpenLDAP directory synchronization.
- Introduced support for
[http_proxy] sections to use a configured
Version 2.13.0 - January 2019
Version 2.12.1 - January 2019
- Corrects an issue which prevented usage of unicode characters in the
Version 2.12.0 - January 2019
- Introduces new configuration options
cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server (
- OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
- Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
- The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
FIPS mode for Windows and Linux.
- Corrected an issue with logins from authorized networks not bypassing 2FA.
Version 2.11.0 - November 2018
- Added support for channel binding validation during LDAP authentication over SSL/TLS on Windows Server. See KB 4034879 for more information about the
- The connectivity troubleshooting tool now checks that the api_host in a
[cloud] section is accessible.
- Corrected an installation issue on Linux systems due to the PYTHON environment variable.
- Reworded fail mode result messages to improve logging consistency.
Version 2.10.1 - September 2018
- Corrected an installation issue on Linux systems.
Version 2.10.0 - September 2018
Version 2.9.0 - May 2018
- Introduced new connectivity troubleshooting tool.
- Python 2.7 now bundled with Authentication Proxy install.
- The HTTP Proxy feature now accepts CIDR ranges as permitted
- Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well.
Version 2.8.1 - March 2018
Version 2.7.0 - December 2017
- Supports OpenSSL 1.1.0.
- New LDAP server option:
- Additional bug fixes.
Version 2.6.0 - October 2017
- Password authentication for OpenLDAP and AD sync.
- Fixed bug that caused an authentication event to be logged twice in
- Additional bug fixes.
Version 2.5.4 - August 2017
- SIEM-consumable authentication event logging with new configuration option
ad_client host failover behavior when using
- Additional bug fixes.
Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.
Version 2.4.21 - March 2017
- Linux logging fix
- Bug fixes
Version 2.4.20 - February 2017
- Bug fix for premature TLS disconnect
Version 2.4.19 - December 2016
Version 2.4.18 - December 2016
- Ease-of-use improvements to authproxy.cfg file
- Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
- RADIUS and LDAP bug fixes
- Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)
Version 2.4.17 - May 2016
- Enhanced authentication proxy configuration reporting to Duo
- Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)
Version 2.4.16 - May 2016
Version 2.4.15 - May 2016
- Debug logging to file obscures password information
- Improved handling of NTLM and UPN Active Directory authentication
- Improved handling of mixed format line endings in the config file
- Checks config file for duplicate sections at proxy start
Version 184.108.40.206 - February 2016
- Directory Sync and HTTP Proxy bug fixes
Version 2.4.14 - December 2015
- New LDAP server option:
- Updated EULA
Version 2.4.13 - November 2015
Version 2.4.12 - August 2015
- Updated to OpenSSL 1.0.1p
- Handling for Palo Alto Client-IP attribute
Version 2.4.11 - March 2015
- Updated to OpenSSL 1.0.1m
Version 2.4.10 - March 2015
- Updated to OpenSSL 1.0.1l
- LDAP enhancements and improved logging
- Fix proxy startup on Ubuntu LTS
- New RADIUS exemption option:
- RADIUS client Message-Authenticator validation
Version 2.4.9 - February 2015
- Improved logging
- AD Sync improvements
Version 2.4.8 - November 2014
- AD Sync connection detection
Version 2.4.7 - November 2014
Version 2.4.6 - October 2014
- Updated to OpenSSL 1.0.1j
- AD Sync performance enhancement
Version 2.4.5 - September 2014
- AD domain discovery feature in ad_client:
- AD Sync improvements
Version 2.4.4 - August 2014
- AD Sync improvements
- Fix LDAP filter extensions
Version 2.4.3 - July 2014
- Update ad_client time out logic
- RADIUS and LDAP bug fixes
Version 2.4.2 - June 2014
- Updated to OpenSSL 1.0.1h
- TLS 1.2 support
- HTTPS proxy support for AD Sync
Support for syslog forwarding (Linux/Unix only):