Authentication Proxy - Release Notes

Last updated: May 27th, 2025

Release notes for recent Authentication Proxy versions.

Download the current release from the Checksums and Downloads page.

We encourage all customers to regularly upgrade to the latest Duo Authentication Proxy release to receive feature and security updates.

Version 6.5.1 - May 27, 2025

Adds support for new Duo certificate authorities.

Version 6.5.0 - April 23, 2025

IPv6 support for communicating with other on-premises applications, servers, and devices. Please note that communication with Duo's cloud service will still resolve the API hostname to an IPv4 address.
Connections to DNS hostnames will now honor multiple IP addresses and choose the fastest connection.
When specifying hostnames in ad_client sections or in the Admin Panel configuration for Duo SSO Active Directory authentication, Active Directory sync, and OpenLDAP sync, the hostnames must be RFC-1034-compliant and:
- Start with a letter.
- End with a letter or digit.
- Only contain letters, digits, or hyphens (-) in the host or domain name.
No longer prints ModuleNotFoundError during successful build.
Fix logfile rotation when an extra file exists in log directory
Improves handling of None values in HTTP client.
Add rate-limiting logic for 429 errors.
Upgrade Python to 3.11.10 to address multiple CVEs, such as CVE-2024-6923 and CVE-2024-4030.
Upgrade to Cryptography 43.01 / OpenSSL 3.3.2 to address CVE-2024-6119.
Updates to various third party dependencies.

Version 6.4.2 - October 21, 2024

Adds the configuration option force_message_authenticator to radius_server modules.
- Set force_message_authenticator to true to force the Authentication Proxy to include a message-authenticator attribute in reply packets.
Ensures that reply packets containing a message-authenticator attribute send that as the first attribute.

Version 6.4.1 - May 8, 2024

Fixes a resource leak related to failed TLS connections in ldap_server_auto.
Please review the information in the 6.4.0 release note. If you experience issues with LDAPS/STARTTLS connections after installing 6.4.1, and your certificate(s) have key lengths less than 2048, see Duo KB article 8866 for a workaround.

Version 6.4.0 - April 30, 2024

Fixes unnecessarily strict Connectivity Tool validation of ldap_server_auto SSL certificates.
Improves logged error messaging for AD DIR_ERROR responses.
The Authentication Proxy Manager now displays additional error information in certain failure scenarios.
Updates the internal build process to use scoped package names.
Upgrade to Cryptography 42.0.5 / OpenSSL 3.2.1 to address CVE-2024-26130, CVE-2023-50782, and CVE-2024-0727.
- This version of OpenSSL changes the default SSL/TLS security level from 1 to 2. As a result of the default security level change, certificates with key lengths less than 2048 are no longer acceptable for inbound and outbound SSL, LDAPS, or STARTTLS connections to the Authentication Proxy. Our recommendation is that you reissue your certificates with key lengths of 2048 or greater. If you cannot update your certificates now, a workaround is available. Please see Duo KB article 8866 for details.
Upgrade Python to 3.11.9 to address CVE-2023-6597 and CVE-2024-0450.
Upgrade OpenSSL FIPS module to 3.0.9 to address CVE-2023-1255.
Updates various internal dependencies.
- These dependency updates affect use of the Duo Authentication Proxy Manager tool on Windows Server versions 2012 R2 and older, which have reached end-of-support status with both Duo and Microsoft. Please see the Duo End of Sale, Last Date of Support, and End of Life Policy for more information.

Version 6.3.0 - February 6, 2024

Fixes sort order of factors from preauth result.
Fixes OpenSSL error when enabling FIPS mode on certain systems.
Updates Python to 3.11.7 to address CVE-2023-36632, CVE-2023-24329, CVE-2023-40217, CVE-2023-27043, and CVE-2007-4559.
Updates various internal dependencies to resolve CVEs including CVE-2023-49083, CVE-2023-46137, CVE-2022-40898, CVE-2021-32559, and CVE-2022-42969.

Version 6.2.0 - November 28, 2023

Connectivity checker no longer rejects ECC SSL keys.
Improves integration with systemd on Linux systems.
Improves handling of corrupted SSO configuration file.
IFrame reconfiguration script no longer creates duplicate configuration sections.
Resolves various CVEs including CVE-2023-5363, CVE-2023-4807, and CVE-2022-40897.

Version 6.1.0 - September 19, 2023

Restores the default for allow_concat to false in the radius_server_eap section.
Fixes various bugs in radius_server_eap functionality.
No longer logs configured server sections twice at startup.
Authentication Proxy upgrades no longer fail when there is a subdirectory inside the conf directory.
The Windows service now correctly installs/uninstalls when there is an invalid authproxy.cfg.
Provides a utility script to assist with converting radius_server_iframe sections to radius_server_auto. See Guide to Duo's iFrame Reconfiguration Script.
Updates Cryptography to 41.0.3.
Updates OpenSSL to 3.1.2.

Version 6.0.2 - July 24, 2023

The value for allow_concat in the radius_server_eap section now correctly defaults to True.
The Authentication Proxy connectivity tool and Authentication Proxy Manager now raise an exception if the Authentication Proxy is given a password-protected certificate.
Fixed a resource leak related to failed TLS connections.

Version 6.0.1 - June 14, 2023

Resolves an issue in version 6.0.0 (CVE-2023-20207 Cisco Security Advisory) where some configurations would output plain-text secrets to authproxy.log during proxy service start.

Version 6.0.0 - June 7, 2023

SHA1 signed certificates are no longer supported for LDAPS or StartTLS connections. This affects Duo Single Sign-On Active Directory authentication, Active Directory Sync, OpenLDAP Directory Sync, and ad_client configuration for RADIUS or LDAP authentication. SHA1 certificates issued to Active Directory domain controllers or LDAP directory servers must be reissued as SHA256 or greater. If a SHA256+ certificate cannot be obtained, the alternative is to use unsecured (CLEAR) transport.
NTLM1 is disabled in FIPS mode, and deprecated in non-FIPS mode.
Linux installer now supports ARM64/AARCH64 in addition to the existing AMD64/x64 support.
Updated Cryptography to 40.0.2 to address CVE-2020-25659 and CVE-2020-36242.
Updated OpenSSL to 3.1.1.
Updated Python to 3.8.16 to address CVE-2022-26488, CVE-2016-3189, CVE-2019-12900, CVE-2018-25032, CVE-2020-10735, and CVE-2022-37454.

Version 5.8.2 - June 14, 2023

Resolves an issue in version 5.8.1 (CVE-2023-20207 Cisco Security Advisory) where some configurations would output plain-text secrets to authproxy.log during proxy service start.

Version 5.8.1 - May 10, 2023

Fixed an issue where SSO logins that timed out would be incorrectly interpreted as bad credentials.
Fixed an issue where the configuration check would no longer incorrectly report a problem with the transport value of an ad_client section if ssl_verify_hostname is not specified.
Now verifies that configured applications (specified by ikey) are named or generic RADIUS, LDAP, or directory sync applications intended for use with the Authentication Proxy. Using a mistyped integration may generate HTTP 403 messages in the authproxy.log but does not affect user authentication. We encourage to you use the correct application types in your Authentication Proxy configurations.

Version 5.8.0 - February 15, 2023

Removes git commit hashes from binaries and folder names.
The authproxy_support script now honors the log_dir configured in [main] section of authproxy.cfg; --log-dir script argument removed.
Sends a user's distinguishedName (DN) back to Duo Single Sign-On on a failed SSO AD authentication.
Nested conf directories underneath the Authentication Proxy's conf directory are no longer valid (i.e. /opt/duoauthproxy/conf/conf/certs.crt).
Fixed a bug causing Proxy-State to be duplicated in RADIUS responses.
Updated to Twisted 22.4.0 to resolve CVE-2022-24801.
Additional bug fixes and enhancements.

Version 5.7.4 - November 8, 2022

Improved logging for LDAP timeouts.
The Authentication Proxy Manager and connectivity tool now warn against use of 'clear' transport in ad_client with certificates specified.
Removes the misleading no reply message in packet RADIUS error message to reduce confusion while troubleshooting authentication failures.
No longer duplicates the proxy-state RADIUS attribute when both the RADIUS client and server configuration sections specify pass_through_all=true.
The connectivity tool no longer exits prematurely when it fails to connect to a RADIUS server that is not running.
Fixed an issue that could result in multiple redundant connections to the Duo SSO service in certain race conditions.

Version 5.7.3 - August 30, 2022

Corrected an issue where the Authentication Proxy incorrectly included a reply message in EAP packets.

Version 5.7.2 - June 23, 2022

Fixed an issue where make would not build the Authentication Proxy if TERM_PROGRAM was set on Linux.
Removed extraneous dependencies.

Version 5.7.1 - May 26, 2022

Updated to Python 3.8.12 to resolve CVE-2020-14422 and CVE-2021-29921.

Version 5.7.0 - May 9, 2022

Twisted has been updated to include the fix for CVE-2022-21712.
The Windows Authentication Proxy binaries are now all signed.
Added LimitNOFILE option to the Linux Authentication Proxy systemd init script to maximize authentication performance.
Fixed traceback when the last [cloud] section is invalid.

Version 5.6.1 - March 28, 2022

OpenSSL has been updated to include the fix for CVE-2022-0778.
The Authentication Proxy Manager now correctly recognizes error return codes for unparseable configuration files.
The Authentication Proxy Manager now correctly recognizes api_host entries with multiple hyphens as valid.

Version 5.6.0 - February 14, 2022

The Windows Authentication Proxy now ships with the Duo Authentication Proxy Manager. This tool allows for configuring the Authentication Proxy, validating the configuration, and starting or stopping the Authentication Proxy service.
The authproxy_connectivity_tool now exits with code 2 if there were connectivity issues.
The Linux Authentication Proxy installer now prompts the user to ask if the SELinux module should be installed if run interactively, and accepts --enable-selinux=yes|no at the command line.
Fixed a bug causing the SELinux module installation to not work with custom installation directories.

Version 5.5.1 - January 19, 2022

Introduced initial support for multiple Active Directory authentication sources with Duo Single Sign-On.
An invalid [cloud] section in authproxy.cfg no longer interferes with other valid [cloud] configuration sections.
Fixes an issue that caused the Authentication Proxy not to reconnect to Duo automatically for SSO and Directory Sync after a period of degraded network connectivity.
The Linux installer correctly expands tilde characters in the install path.
Mutes excessive tracebacks caused by rapidly opening and then closing incoming connections to ldap_server_auto configured with ad_client.
The Linux installation script creates the necessary SELinux configuration (if appropriate) to allow start of the Authentication Proxy with systemd.

Version 5.5.0 - October 13, 2021

Adds support for Duo Single Sign-On expired password resets.
Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2x to address the NULL pointer dereference issue described in CVE-2020-1971.
Verified on Windows Server 2022.

Version 5.4.1 - September 15, 2021

Fixes a spurious "no service account username is provided" warning from the connectivity tool when using Windows integrated authentication (SSPI).
Now reports the error code during SSPI negotiation failure.
Strips leading or trailing whitespace from RADIUS usernames during radius_iframe authentications.
Restricts access to the Authentication Proxy bin folder on Windows at installation.
Upgrades a third-party library to address memory leaks during authentications.

Version 5.4.0 - July 22, 2021

Now suppresses system restarts by the Microsoft Visual C++ Redistributable installer during Authentication Proxy installation on Windows.
Improves the error messaging when user msds-principalname lookups fail.
The configuration checking performed by the connectivity tool now reports common misconfigurations for service account and authentication type combinations.
Improves the log messaging when the Authentication Proxy attempts to determine use of password and factor concatenation.
Improves the error messaging when LDAP authentications fail because the service account bind failed.
The SIEM logging output to authevents.log now includes the client section name whenever possible.
The Windows-only password encryption utility now also decrypts previously-encrypted passwords in a configuration file.

Version 5.3.1 - July 7, 2021

Corrects an issue running the connectivity tool on Windows while the Authentication Proxy itself was running.
Fixes a condition that caused incorrectly-colored connectivity tool output.
Updates the Authentication Proxy's Windows service error exit code from 1 to 575.

Version 5.3.0 - April 26, 2021

Timestamps in authproxy.log output now show milliseconds.
The authproxy_passwd tool now preserves comments when encrypting all passwords and secrets in the authproxy.cfg file with the --whole-config option.
When security_group_dn is defined in an ad_client section, the connectivity tool confirms that an LDAP search for the group distinguished name returns a result.
Fixes the connectivity tool's error detection for mismatched TLS certificate keypairs.
When upgrading an existing install, the Authentication Proxy installer runs the connectivity tool to validate your configuration for correctness.

Version 5.2.2 - April 12, 2021

Corrects logging message when SSL certificate and key did not match.
RADIUS timeouts logging reports correct information about what servers have been contacted.
The connectivity tool warning about RADIUS server availability is now displayed in yellow text.
Adds a default timeout for ping calls during proxy connection issues to Duo.
Suppresses error messages about quickly-terminated LDAP connections.

Version 5.2.1 - March 25, 2021

Addresses an elevation of privilege vulnerability in the Duo Authentication Proxy for Windows installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2021-1492). The vulnerability was limited to the Windows installer only, and did not affect the application once installed. This vulnerability does not apply to any version of Duo Authentication Proxy for Linux.

Version 5.2.0 - February 2, 2021

Adds support for multiple [cloud] sections, which enables a single Duo Authentication Proxy to service more than one Active Directory or OpenLDAP directory sync. Learn more.
The connectivity tool now displays warnings in yellow.
Improved error messaging when a User-Password attribute is missing in challenge response for radius_server_challenge.
Corrected an issue preventing silent install on Windows.
LDAP channel binding no longer fails when the server's certificate uses the RSASSA-PSS signature algorithm.
Fixed a bug causing authentications to fail when using SMS as a second factor with radius_server_eap.
Fixed a bug where local versions of Python packages interfered with Duo Authentication install on Linux.
The connectivity tool now utilizes the configured HTTP proxy.
Adds support for additional EAP and PEAP authentication methods like EAP-MSCHAPv2 in radius_server_auto.

Version 5.1.1 - November 23, 2020

Fixed a bug causing MPPE key decryption to fail when MPPE was used with an EAP-message attribute.
Addresses an issue in prior v5.x.x releases where the running proxy stops responding to incoming RADIUS requests.
Added the Microsoft Visual C++ 2015-2019 Redistributable to the Windows Authentication proxy installer to ensure all required DLLs are present on the target system.

Version 5.1.0 - November 4, 2020

Adds the authproxyctl executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window.
The Windows installer now starts the Duo Authentication Proxy after a version upgrade if the service was running when the upgrade started.
Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2w to address CVE-2020-1968.
The connectivity tool now checks for newer versions of the Authentication Proxy.
The default authproxy.cfg file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad.
Improved error messaging when unable to establish an SSL connection when using FIPS mode.
Improved error messaging when a StartTLS connection can not be established for Directory Sync or Duo Single Sign-On (SSO).
Improved error messaging for Directory Sync and Duo SSO when attempting to use the "Integrated" authentication type with a Linux Authentication Proxy.
The minimum_tls_version option now accepts mixed-case values.
The connectivity tool no longer incorrectly reports an error when pass_through_attr_names is used with [radius_client].
Corrected an issue where SSL verification was disabled if an empty or invalid file was provided for ssl_ca_certs_file.
An exception no longer occurs if a non-string username attribute is used with Duo SSO.
RADIUS authentications no longer fail if some MPPE attributes are present but the Send Key and Receive Key are missing.
Fixed a bug causing the Authentication Proxy to parse values in the configuration file as multi-line values if they were accidentally indented.
Corrected an issue where installed files did not have the correct permissions on Linux.

Version 5.0.2 - September 28, 2020

No longer adds Message-Authenticator to RADIUS packets where it was not already present.
Fixed an issue preventing Authentication Proxy startup when using the pass_through_attr_names RADIUS setting. Note that the pass_through_attr_names and pass_through_all options are only valid when used with radius_client; specifying these parameters for RADIUS server sections that make use of ad_client or duo_only_client prevents the Authentication Proxy service from starting.

Version 5.0.1 - September 3, 2020

Corrects an issue causing incorrect Message-Authenticator values when configured as a RADIUS pass-through attribute.

Version 5.0.0 - August 17, 2020

The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.

The installation file path has changed accordingly, from C:\Program Files (x86)\Duo Security Authentication Proxy in previous versions to C:\Program Files\Duo Security Authentication Proxy. If your authproxy.cfg file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.

This change has no effect on Authentication Proxy releases for Linux.
Primary LDAP authentication with [ad_client] now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the auth_type=sspi option.
Primary LDAP authentication with [ad_client] now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for the ntlm2 and sspi authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details.
Extends LDAP channel binding support to NTLMv2 authentication.
LDAP anonymous bind identification now conforms with LDAP RFC 4513.
Now supports LDAP binds using samAccountName and Common Name CN style usernames, including for exempt_ou username to Distinguished Name DN match.
The connectivity tool issues a warning when the [ad_client] authentication type is sspi (Windows integrated) and LDAP account username/password are also provided.
Now consistently respects the order of the factors specified via the factors optional setting for [radius_server_auto] and [ldap_server_auto].
RADIUS authentication now handles MPPE responses properly per RFC 2548.
RADIUS authenticator and Message-Authenticator verification succeeds when a packet includes multiple non-adjacent attributes of the same type.
Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.
Logging enhancements.

Versions Before 5.0.0

Version 4.0.2 - July 22, 2020

Updated the embedded Python version to 3.8.4, to address Python CVE-2020-1552. We urge that customers running v4.0.0 or v4.0.1 upgrade to this version.
This is the last 32-bit Authentication Proxy release.

Version 4.0.1 - June 10, 2020

Fixed a bug where certain vendor-specific RADIUS attributes were not passed through correctly.
The Authentication Proxy will not attempt to constantly connect to the Duo Single Sign-on service with expired credentials.
Fixed a bug with binary LDAP attributes that caused certain authentications to fail.
Fixed a bug that caused the Windows authproxy_passwd tool to fail for secrets containing the % character.
The error output when the Authentication Proxy cannot start TLS encryption due to missing configuration is clearer.

Version 4.0.0 - May 11, 2020

The Authentication Proxy is now packaged with and runs on Python 3.
When installed on Windows, directory permissions restrict access to the conf directory to the built-in Administrators group.
Improved directory sync performance when syncing large groups from Active Directory.
Fixed a bug causing RADIUS authentications to fail for usernames with non-ASCII characters.
Duo application ikey values are now properly captured in the authentication log during RADIUS authentication.

Version 3.2.4 - March 17, 2020

Full support for unicode usernames and passwords when used for Duo Single Sign-On authentication to Active Directory.

Version 3.2.3 - March 10, 2020

RADIUS Challenge responses now correctly include Proxy-State attribute values.

Version 3.2.2 - February 25, 2020

Fixed a bug causing NTLM and SSPI authentications to fail in rare cases.
Support for Windows Server 2008 R2 ended in January 2020. The minimum supported Windows version is Windows Server 2012. Future releases of the Authentication Proxy may not function on unsupported operating systems.

Version 3.2.1 - December 2019

Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

Version 3.2.0 - December 2019

Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
The primarygroup is now checked when determining if an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
Added support for LDAPCompareRequest LDAP message when the proxy is acting as an LDAP server.
Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
Ignores service account credentials when using the "Integrated" (SSPI) authentication type for the Authentication Proxy's connection to your AD Authentication source to support Duo Single Sign-On. If provided in the [cloud] config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI.
Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
Bug fixes and enhancements to the connectivity tool.

Version 3.1.1 - September 2019

Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.

Version 3.1.0 - July 2019

New delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
The authproxy_support tool reports the full path to the generated output file.
Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
Allows mixed-case values for the prompt, type, and failmode configuration settings.
Logging of RADIUS and LDAP messages now contain the username.

Version 3.0.0 - March 2019

Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
Fixed a bug that caused errors when clients connected and disconnected very quickly.
Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
Improved logging during Active Directory or OpenLDAP directory synchronization.
Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

Colorized the output of the connectivity tool when run interactively for better readability.
Improvements and additions to the connectivity tool configuration and validation checks, including validation of dependencies across sections.
The connectivity tool now uses your configured http_proxy_host to test connections.
Improved logging for security and debugging purposes.

Version 2.12.1 - January 2019

Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
FIPS mode for Windows and Linux.
Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

Added support for channel binding validation during LDAP authentication over SSL/TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
Corrected an installation issue on Linux systems due to the PYTHON environment variable.
Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

Added a new flag to authproxy_passwd that allows you to encrypt all the passwords and secrets in the configuration at once.
Fix bug in Authentication Proxy Connectivity Tool that caused us to report an incorrect time drift.
Added 2fa factor used to the SIEM digestible log output (authevents.log).
Simplified example content in the authproxy.cfg file shown at first use.

Version 2.9.0 - May 2018

Introduced new connectivity troubleshooting tool.
Python 2.7 now bundled with Authentication Proxy install.
The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well.

Version 2.8.1 - March 2018

Corrected issue with EAP and TLS 1.2 for NetMotion EAP clients.
Released for Windows only.

Version 2.7.0 - December 2017

Supports OpenSSL 1.1.0.
New LDAP server option: allow_unlimited_binds.
Additional bug fixes.

Version 2.6.0 - October 2017

Password authentication for OpenLDAP and AD sync.
Fixed bug that caused an authentication event to be logged twice in authevents.log.
Additional bug fixes.

Version 2.5.4 - August 2017

SIEM-consumable authentication event logging with new configuration option log_auth_events.
Corrected ad_client host failover behavior when using ldap_server_auto.
Additional bug fixes.

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

Linux logging fix
Bug fixes

Version 2.4.20 - February 2017

Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

LDAPS bug fixes

Version 2.4.18 - December 2016

Ease-of-use improvements to authproxy.cfg file
Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
RADIUS and LDAP bug fixes
Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

Enhanced authentication proxy configuration reporting to Duo
Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

Fixed handling of missing LDAP passwords (DUO-PSA-2016-001)

Version 2.4.15 - May 2016

Debug logging to file obscures password information
Improved handling of NTLM and UPN Active Directory authentication
Improved handling of mixed format line endings in the config file
Checks config file for duplicate sections at proxy start

Version 2.4.14.1 - February 2016

Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

New LDAP server option: allow_searches_after_bind
Updated EULA

Version 2.4.13 - November 2015

Added support for proxying HTTPS traffic from Duo client applications: http_proxy

Version 2.4.12 - August 2015

Updated to OpenSSL 1.0.1p
Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

Updated to OpenSSL 1.0.1l
LDAP enhancements and improved logging
Fix proxy startup on Ubuntu LTS
New RADIUS exemption option: exempt_username_1
RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

Improved logging
AD Sync improvements

Version 2.4.8 - November 2014

AD Sync connection detection

Version 2.4.7 - November 2014

Fixes for Linux hosts

Version 2.4.6 - October 2014

Updated to OpenSSL 1.0.1j
AD Sync performance enhancement

Version 2.4.5 - September 2014

AD domain discovery feature in ad_client: domain_discovery
AD Sync improvements

Version 2.4.4 - August 2014

AD Sync improvements
Fix LDAP filter extensions

Version 2.4.3 - July 2014

Update ad_client time out logic
RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

Updated to OpenSSL 1.0.1h
TLS 1.2 support
HTTPS proxy support for AD Sync
Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility