Release notes for recent Authentication Proxy versions.
Download the current release from the Checksums and Downloads page.
EAP-message
attribute.authproxyctl
executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window.authproxy.cfg
file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad.minimum_tls_version
option now accepts mixed-case values.pass_through_attr_names
is used with [radius_client]
.Message-Authenticator
to RADIUS packets where it was not already present.pass_through_attr_names
RADIUS setting. Note that the pass_through_attr_names
and pass_through_all
options are only valid when used with radius_client
; specifying these parameters for RADIUS server sections that make use of ad_client
or duo_only_client
prevents the Authentication Proxy service from starting.Message-Authenticator
values when configured as a RADIUS pass-through attribute.The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.
The installation file path has changed accordingly, from C:\Program Files (x86)\Duo Security Authentication Proxy
in previous versions to C:\Program Files\Duo Security Authentication Proxy
. If your authproxy.cfg
file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.
This change has no effect on Authentication Proxy releases for Linux.
[ad_client]
now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the auth_type=sspi
option.[ad_client]
now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for the ntlm2
and sspi
authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details.samAccountName
and Common Name CN
style usernames, including for exempt_ou
username to Distinguished Name DN
match.[ad_client]
authentication type is sspi
(Windows integrated) and LDAP account username/password are also provided.factors
optional setting for [radius_server_auto]
and [ldap_server_auto]
.authenticator
and Message-Authenticator
verification succeeds when a packet includes multiple non-adjacent attributes of the same type.authproxy_passwd
tool to fail for secrets containing the %
character.conf
directory to the built-in Administrators group.ikey
values are now properly captured in the authentication log during RADIUS authentication.Proxy-State
attribute values.NTLM
and SSPI
authentications to fail in rare cases.failmode
and prompt_format
configuration values to be case-sensitive.primarygroup
is now checked when determining if an AD/LDAP (ad_client
) user is a member of the configured security_group_dn
group.LDAPCompareRequest
LDAP message when the proxy is acting as an LDAP server.exempt_ou
matching when the proxy is acting as an LDAP server.[cloud]
config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI.authevents.log
now contain the authentication proxy hostname and the IKEY
(Integration key) of the protected application.failmode
was invoked when an invalid SKEY
(Secret key) was used.ldap_server_auto
section has no associated ad_client
section.delimited_password_length
optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.authproxy_support
tool reports the full path to the generated output file.prompt
, type
, and failmode
configuration settings.[radius_server_eap]
or [ldap_server_auto]
). Opt into a lower TLS version with the minimum_tls_version
configuration option.duo_authproxy_svc
) during installation to run the proxy server on Linux.duo_authproxy_grp
) during installation on Linux. This group owns the /opt/duoauthproxy/log
folder and all of its files.authproxy_support
tool from being run from in any directory.[http_proxy]
sections to use a configured interface
.http_proxy_host
to test connections.authproxy.cfg
file.minimum_tls_version
and cipher_list
for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap]
or [ldap_server_auto]
).LdapEnforceChannelBinding
setting.[cloud]
section is accessible.authevents.log
).authproxy.cfg
file shown at first use.client_ip
values.allow_unlimited_binds
.authevents.log
.log_auth_events
.ad_client
host failover behavior when using ldap_server_auto
.Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.
allow_searches_after_bind
http_proxy
exempt_username_1
domain_discovery
log_file
, log_syslog
, syslog_facility