Skip navigation

Authentication Proxy - Release Notes

Last Updated: March 17th, 2020

Release notes for recent Authentication Proxy versions.

Download the current release from the Checksums and Downloads page.

Version 3.2.4 - March 17, 2020

Version 3.2.3 - March 10, 2020

  • RADIUS Challenge responses now correctly include Proxy-State attribute values.

Version 3.2.2 - February 25, 2020

  • Fixed a bug causing NTLM and SSPI authentications to fail in rare cases.

Version 3.2.1 - December 2019

  • Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

Version 3.2.0 - December 2019

  • Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
  • The primarygroup is now checked when determining if an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
  • Added support for LDAPCompareRequest LDAP message when the proxy is acting as anLDAP server.
  • Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
  • When using the "Integrated" (SSPI) authentication type for Active Directory sync, service account credentials are ignored if provided in the [cloud] configuration.
  • Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
  • Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
  • The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
  • Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
  • Bug fixes and enhancements to the connectivity tool.

Version 3.1.1 - September 2019

  • Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.

Version 3.1.0 - July 2019

  • New delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
  • Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
  • The authproxy_support tool reports the full path to the generated output file.
  • Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
  • Allows mixed-case values for the prompt, type, and failmode configuration settings.
  • Logging of RADIUS and LDAP messages now contain the username.

Version 3.0.0 - March 2019

  • Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
  • Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
  • Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
  • Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
  • Fixed a bug that caused errors when clients connected and disconnected very quickly.
  • Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

  • Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
  • Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
  • Improved logging during Active Directory or OpenLDAP directory synchronization.
  • Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

Version 2.12.1 - January 2019

  • Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

  • Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
  • OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
  • Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
  • The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
  • FIPS mode for Windows and Linux.
  • Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

  • Added support for channel binding validation during LDAP authentication over SSL\TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
  • The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
  • Corrected an installation issue on Linux systems due to the PYTHON environment variable.
  • Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

  • Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

Version 2.9.0 - May 2018

  • Introduced new connectivity troubleshooting tool
  • Python 2.7 now bundled with Authentication Proxy install
  • The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
  • Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well

Version 2.8.1 - March 2018

Version 2.7.0 - December 2017

  • Supports OpenSSL 1.1.0
  • New LDAP server option: allow_unlimited_binds
  • Additional bug fixes

Version 2.6.0 - October 2017

This is the minimum required version for OpenLDAP sync and the minimum recommended version for AD sync.

  • Password authentication for OpenLDAP and AD sync
  • Fixed bug that caused an authentication event to be logged twice in authevents.log
  • Additional bug fixes

Version 2.5.4 - August 2017

  • SIEM-consumable authentication event logging with new configuration option log_auth_events
  • Corrected ad_client host failover behavior when using ldap_server_auto
  • Additional bug fixes

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

  • Linux logging fix
  • Bug fixes

Version 2.4.20 - February 2017

  • Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

  • LDAPS bug fixes

Version 2.4.18 - December 2016

  • Ease-of-use improvements to authproxy.cfg file
  • Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
  • RADIUS and LDAP bug fixes
  • Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

  • Enhanced authentication proxy configuration reporting to Duo
  • Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

Version 2.4.15 - May 2016

  • Debug logging to file obscures password information
  • Improved handling of NTLM and UPN Active Directory authentication
  • Improved handling of mixed format line endings in the config file
  • Checks config file for duplicate sections at proxy start

Version - February 2016

  • Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

  • New LDAP server option: allow_searches_after_bind
  • Updated EULA

Version 2.4.13 - November 2015

Version 2.4.12 - August 2015

  • Updated to OpenSSL 1.0.1p
  • Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

  • Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

  • Updated to OpenSSL 1.0.1l
  • LDAP enhancements and improved logging
  • Fix proxy startup on Ubuntu LTS
  • New RADIUS exemption option: exempt_username_1
  • RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

This is the minimum required version for AD sync.

  • Improved logging
  • AD Sync improvements

Version 2.4.8 - November 2014

  • AD Sync connection detection

Version 2.4.7 - November 2014

  • Fixes for Linux hosts

Version 2.4.6 - October 2014

  • Updated to OpenSSL 1.0.1j
  • AD Sync performance enhancement

Version 2.4.5 - September 2014

  • AD domain discovery feature in ad_client: domain_discovery
  • AD Sync improvements

Version 2.4.4 - August 2014

  • AD Sync improvements
  • Fix LDAP filter extensions

Version 2.4.3 - July 2014

  • Update ad_client time out logic
  • RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

This is the minimum supported version.

  • Updated to OpenSSL 1.0.1h
  • TLS v1.2 support
  • HTTPS proxy support for AD Sync
  • Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility