Feedback
Was this page helpful? Let us know how we can make it better.
Release notes for recent Authentication Proxy versions.
Download the current release from the Checksums and Downloads page.
Version 3.2.1 - December 2019
- Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.
Version 3.2.0 - December 2019
- Fixed a bug causing
failmode
and prompt_format
configuration values to be case-sensitive.
- The
primarygroup
is now checked when determining if an AD/LDAP (ad_client
) user is a member of the configured security_group_dn
group.
- Added support for
LDAPCompareRequest
LDAP message when the proxy is acting as anLDAP server.
- Support additional username formats for
exempt_ou
matching when the proxy is acting as an LDAP server.
- When using the "Integrated" (SSPI) authentication type for Active Directory sync, service account credentials are ignored if provided in the
[cloud]
configuration.
- Events in the SIEM-consumable
authevents.log
now contain the authentication proxy hostname and the IKEY
(Integration key) of the protected application.
- Fixed case where logging incorrectly indicated
failmode
was invoked when an invalid SKEY
(Secret key) was used.
- The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
- Proxy startup is prevented if an
ldap_server_auto
section has no associated ad_client
section.
- Bug fixes and enhancements to the connectivity tool.
Version 3.1.1 - September 2019
- Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.
Version 3.1.0 - July 2019
- New
delimited_password_length
optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
- Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
- The
authproxy_support
tool reports the full path to the generated output file.
- Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
- Allows mixed-case values for the
prompt
, type
, and failmode
configuration settings.
- Logging of RADIUS and LDAP messages now contain the username.
Version 3.0.0 - March 2019
- Now defaults to TLS 1.2 when acting as an SSL server (
[radius_server_eap]
or [ldap_server_auto]
). Opt into a lower TLS version with the minimum_tls_version
configuration option.
- Now creates a new user (default name
duo_authproxy_svc
) during installation to run the proxy server on Linux.
- Now creates a new group (default name
duo_authproxy_grp
) during installation on Linux. This group owns the /opt/duoauthproxy/log
folder and all of its files.
- Fixed a bug that prevent the
authproxy_support
tool from being run from in any directory.
- Fixed a bug that caused errors when clients connected and disconnected very quickly.
- Fixed small bugs in the connectivity tool configuration validation.
Version 2.14.0 - February 2019
- Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
- Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
- Improved logging during Active Directory or OpenLDAP directory synchronization.
- Introduced support for
[http_proxy]
sections to use a configured interface
.
Version 2.13.0 - January 2019
Version 2.12.1 - January 2019
- Corrects an issue which prevented usage of unicode characters in the
authproxy.cfg
file.
Version 2.12.0 - January 2019
- Introduces new configuration options
minimum_tls_version
and cipher_list
for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap]
or [ldap_server_auto]
).
- OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
- Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
- The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
- FIPS mode for Windows and Linux.
- Corrected an issue with logins from authorized networks not bypassing 2FA.
Version 2.11.0 - November 2018
- Added support for channel binding validation during LDAP authentication over SSL\TLS on Windows Server. See KB 4034879 for more information about the
LdapEnforceChannelBinding
setting.
- The connectivity troubleshooting tool now checks that the api_host in a
[cloud]
section is accessible.
- Corrected an installation issue on Linux systems due to the PYTHON environment variable.
- Reworded fail mode result messages to improve logging consistency.
Version 2.10.1 - September 2018
- Corrected an installation issue on Linux systems.
Version 2.10.0 - September 2018
Version 2.9.0 - May 2018
- Introduced new connectivity troubleshooting tool
- Python 2.7 now bundled with Authentication Proxy install
- The HTTP Proxy feature now accepts CIDR ranges as permitted
client_ip
values.
- Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well
Version 2.8.1 - March 2018
Version 2.7.0 - December 2017
- Supports OpenSSL 1.1.0
- New LDAP server option:
allow_unlimited_binds
- Additional bug fixes
Version 2.6.0 - October 2017
This is the minimum required version for OpenLDAP sync and the minimum recommended version for AD sync.
- Password authentication for OpenLDAP and AD sync
- Fixed bug that caused an authentication event to be logged twice in
authevents.log
- Additional bug fixes
Version 2.5.4 - August 2017
- SIEM-consumable authentication event logging with new configuration option
log_auth_events
- Corrected
ad_client
host failover behavior when using ldap_server_auto
- Additional bug fixes
Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.
Version 2.4.21 - March 2017
- Linux logging fix
- Bug fixes
Version 2.4.20 - February 2017
- Bug fix for premature TLS disconnect
Version 2.4.19 - December 2016
Version 2.4.18 - December 2016
- Ease-of-use improvements to authproxy.cfg file
- Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
- RADIUS and LDAP bug fixes
- Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)
Version 2.4.17 - May 2016
- Enhanced authentication proxy configuration reporting to Duo
- Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)
Version 2.4.16 - May 2016
Version 2.4.15 - May 2016
- Debug logging to file obscures password information
- Improved handling of NTLM and UPN Active Directory authentication
- Improved handling of mixed format line endings in the config file
- Checks config file for duplicate sections at proxy start
Version 2.4.14.1 - February 2016
- Directory Sync and HTTP Proxy bug fixes
Version 2.4.14 - December 2015
- New LDAP server option:
allow_searches_after_bind
- Updated EULA
Version 2.4.13 - November 2015
Version 2.4.12 - August 2015
- Updated to OpenSSL 1.0.1p
- Handling for Palo Alto Client-IP attribute
Version 2.4.11 - March 2015
- Updated to OpenSSL 1.0.1m
Version 2.4.10 - March 2015
- Updated to OpenSSL 1.0.1l
- LDAP enhancements and improved logging
- Fix proxy startup on Ubuntu LTS
- New RADIUS exemption option:
exempt_username_1
- RADIUS client Message-Authenticator validation
Version 2.4.9 - February 2015
This is the minimum required version for AD sync.
- Improved logging
- AD Sync improvements
Version 2.4.8 - November 2014
- AD Sync connection detection
Version 2.4.7 - November 2014
Version 2.4.6 - October 2014
- Updated to OpenSSL 1.0.1j
- AD Sync performance enhancement
Version 2.4.5 - September 2014
- AD domain discovery feature in ad_client:
domain_discovery
- AD Sync improvements
Version 2.4.4 - August 2014
- AD Sync improvements
- Fix LDAP filter extensions
Version 2.4.3 - July 2014
- Update ad_client time out logic
- RADIUS and LDAP bug fixes
Version 2.4.2 - June 2014
This is the minimum supported version.
- Updated to OpenSSL 1.0.1h
- TLS v1.2 support
- HTTPS proxy support for AD Sync
- Support for syslog forwarding (Linux/Unix only):
log_file
, log_syslog
, syslog_facility