Authentication Proxy - Release Notes

Download the current release from the Checksums and Downloads page.

Version 5.1.1 - November 23, 2020

• Fixed a bug causing MPPE key decryption to fail when MPPE was used with an EAP-message attribute.
• Addresses an issue in prior v5.x.x releases where the running proxy stops responding to incoming RADIUS requests.
• Added the Microsoft Visual C++ 2015-2019 Redistributable to the Windows Authentication proxy installer to ensure all required DLLs are present on the target system.

Version 5.1.0 - November 4, 2020

• Adds the authproxyctl executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window.
• The Windows installer now starts the Duo Authentication Proxy after a version upgrade if the service was running when the upgrade started.
• The Authentication Proxy's bundled OpenSSL has been updated to version 1.0.2w to address CVE-2020-1968.
• The connectivity tool now checks for newer versions of the Authentication Proxy.
• The default authproxy.cfg file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad.
• Improved error messaging when unable to establish an SSL connection when using FIPS mode.
• Improved error messaging when a StartTLS connection can not be established for Directory Sync or Duo Single Sign-On (SSO).
• Improved error messaging for Directory Sync and Duo SSO when attempting to use the "Integrated" authentication type with a Linux Authentication Proxy.
• The minimum_tls_version option now accepts mixed-case values.
• The connectivity tool no longer incorrectly reports an error when pass_through_attr_names is used with [radius_client].
• Corrected an issue where SSL verification was disabled if an empty or invalid file was provided for ssl_ca_certs_file.
• An exception no longer occurs if a non-string username attribute is used with Duo SSO.
• RADIUS authentications no longer fail if some MPPE attributes are present but the Send Key and Receive Key are missing.
• Fixed a bug causing the Authentication Proxy to parse values in the configuration file as multi-line values if they were accidentally indented.
• Corrected an issue where installed files did not have the correct permissions on Linux.

Version 5.0.2 - September 28, 2020

• No longer adds Message-Authenticator to RADIUS packets where it was not already present.
• Fixed an issue preventing Authentication Proxy startup when using the pass_through_attr_names RADIUS setting. Note that the pass_through_attr_names and pass_through_all options are only valid when used with radius_client; specifying these parameters for RADIUS server sections that make use of ad_client or duo_only_client prevents the Authentication Proxy service from starting.

Version 5.0.1 - September 3, 2020

• Corrects an issue causing incorrect Message-Authenticator values when configured as a RADIUS pass-through attribute.

Version 5.0.0 - August 17, 2020

• The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.

  The installation file path has changed accordingly, from C:\Program Files (x86)\Duo Security Authentication Proxy in previous versions to C:\Program Files\Duo Security Authentication Proxy. If your authproxy.cfg file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.

  This change has no effect on Authentication Proxy releases for Linux.

• Primary LDAP authentication with [ad_client] now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the auth_type=sspi option.
• Primary LDAP authentication with [ad_client] now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for the ntlm2 and sspi authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details.
• Extends LDAP channel binding support to NTLMv2 authentication.
• LDAP anonymous bind identification now conforms with LDAP RFC 4513.
• Now supports LDAP binds using samAccountName and Common Name CN style usernames, including for exempt_ou username to Distinguished Name DN match.
• The connectivity tool issues a warning when the [ad_client] authentication type is sspi (Windows integrated) and LDAP account username/password are also provided.
• Now consistently respects the order of the factors specified via the factors optional setting for [radius_server_auto] and [ldap_server_auto].
• RADIUS authentication now handles MPPE responses properly per RFC 2548.
• RADIUS authenticator and Message-Authenticator verification succeeds when a packet includes multiple non-adjacent attributes of the same type.
• Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.
• Logging enhancements.

Version 4.0.2 - July 22, 2020

• Updated the embedded Python version to 3.8.4, to address Python CVE-2020-1552. We urge that customers running v4.0.0 or v4.0.1 upgrade to this version.
• This is the last 32-bit Authentication Proxy release.

Version 4.0.1 - June 10, 2020

• Fixed a bug where certain vendor-specific RADIUS attributes were not passed through correctly.
• The Authentication Proxy will not attempt to constantly connect to the Duo Single Sign-on service with expired credentials.
• Fixed a bug with binary LDAP attributes that caused certain authentications to fail.
• Fixed a bug that caused the Windows authproxy_passwd tool to fail for secrets containing the % character.
• The error output when the Authentication Proxy cannot start TLS encryption due to missing configuration is clearer.

Version 4.0.0 - May 11, 2020

• The Authentication Proxy is now packaged with and runs on Python 3.
• When installed on Windows, directory permissions restrict access to the conf directory to the built-in Administrators group.
• Improved directory sync performance when syncing large groups from Active Directory.
• Fixed a bug causing RADIUS authentications to fail for usernames with non-ASCII characters.
• Duo application ikey values are now properly captured in the authentication log during RADIUS authentication.

Version 3.2.4 - March 17, 2020

• Full support for unicode usernames and passwords when used for Duo Single Sign-On authentication to Active Directory.

Version 3.2.3 - March 10, 2020

• RADIUS Challenge responses now correctly include Proxy-State attribute values.

Version 3.2.2 - February 25, 2020

• Fixed a bug causing NTLM and SSPI authentications to fail in rare cases.
• Support for Windows Server 2008 R2 ended in January 2020. The minimum supported Windows version is Windows Server 2012. Future releases of the Authentication Proxy may not function on unsupported operating systems.

Version 3.2.1 - December 2019

• Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

Version 3.2.0 - December 2019

• Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
• The primarygroup is now checked when determining if an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
• Added support for LDAPCompareRequest LDAP message when the proxy is acting as an LDAP server.
• Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
• Ignores service account credentials when using the "Integrated" (SSPI) authentication type for the Authentication Proxy's connection to your AD Authentication source to support Duo Single Sign-On. If provided in the [cloud] config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI.
• Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
• Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
• The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
• Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
• Bug fixes and enhancements to the connectivity tool.

Version 3.1.1 - September 2019

• Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.

Version 3.1.0 - July 2019

• New delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
• Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
• The authproxy_support tool reports the full path to the generated output file.
• Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
• Allows mixed-case values for the prompt, type, and failmode configuration settings.
• Logging of RADIUS and LDAP messages now contain the username.

Version 3.0.0 - March 2019

• Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
• Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
• Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
• Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
• Fixed a bug that caused errors when clients connected and disconnected very quickly.
• Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

• Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
• Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
• Improved logging during Active Directory or OpenLDAP directory synchronization.
• Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

• Colorized the output of the connectivity tool when run interactively for better readability.
• Improvements and additions to the connectivity tool configuration and validation checks, including validation of dependencies across sections.
• The connectivity tool now uses your configured http_proxy_host to test connections.
• Improved logging for security and debugging purposes.

Version 2.12.1 - January 2019

• Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

• Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
• OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
• Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
• The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
• FIPS mode for Windows and Linux.
• Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

• Added support for channel binding validation during LDAP authentication over SSL/TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
• The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
• Corrected an installation issue on Linux systems due to the PYTHON environment variable.
• Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

• Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

• Added a new flag to authproxy_passwd that allows you to encrypt all the passwords and secrets in the configuration at once.
• Fix bug in Authentication Proxy Connectivity Tool that caused us to report an incorrect time drift.
• Added 2fa factor used to the SIEM digestible log output (authevents.log).
• Simplified example content in the authproxy.cfg file shown at first use.

Version 2.9.0 - May 2018

• Introduced new connectivity troubleshooting tool.
• Python 2.7 now bundled with Authentication Proxy install.
• The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
• Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well.

Version 2.8.1 - March 2018

• Corrected issue with EAP and TLS 1.2 for NetMotion EAP clients.
• Released for Windows only.

Version 2.7.0 - December 2017

• Supports OpenSSL 1.1.0.
• New LDAP server option: allow_unlimited_binds.
• Additional bug fixes.

Version 2.6.0 - October 2017

• Password authentication for OpenLDAP and AD sync.
• Fixed bug that caused an authentication event to be logged twice in authevents.log.
• Additional bug fixes.

Version 2.5.4 - August 2017

• SIEM-consumable authentication event logging with new configuration option log_auth_events.
• Corrected ad_client host failover behavior when using ldap_server_auto.
• Additional bug fixes.

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

• Linux logging fix
• Bug fixes

Version 2.4.20 - February 2017

• Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

• LDAPS bug fixes

Version 2.4.18 - December 2016

• Ease-of-use improvements to authproxy.cfg file
• Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
• RADIUS and LDAP bug fixes
• Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

• Enhanced authentication proxy configuration reporting to Duo
• Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

• Fixed handling of missing LDAP passwords (DUO-PSA-2016-001)

Version 2.4.15 - May 2016

• Debug logging to file obscures password information
• Improved handling of NTLM and UPN Active Directory authentication
• Improved handling of mixed format line endings in the config file
• Checks config file for duplicate sections at proxy start

Version 2.4.14.1 - February 2016

• Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

• New LDAP server option: allow_searches_after_bind
• Updated EULA

Version 2.4.13 - November 2015

• Added support for proxying HTTPS traffic from Duo client applications: http_proxy

Version 2.4.12 - August 2015

• Updated to OpenSSL 1.0.1p
• Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

• Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

• Updated to OpenSSL 1.0.1l
• LDAP enhancements and improved logging
• Fix proxy startup on Ubuntu LTS
• New RADIUS exemption option: exempt_username_1
• RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

• Improved logging
• AD Sync improvements

Version 2.4.8 - November 2014

• AD Sync connection detection

Version 2.4.7 - November 2014

• Fixes for Linux hosts

Version 2.4.6 - October 2014

• Updated to OpenSSL 1.0.1j
• AD Sync performance enhancement

Version 2.4.5 - September 2014

• AD domain discovery feature in ad_client: domain_discovery
• AD Sync improvements

Version 2.4.4 - August 2014

• AD Sync improvements
• Fix LDAP filter extensions

Version 2.4.3 - July 2014

• Update ad_client time out logic
• RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

• Updated to OpenSSL 1.0.1h
• TLS v1.2 support
• HTTPS proxy support for AD Sync
• Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility