Authentication Proxy - Release Notes

Download the current release from the Checksums and Downloads page.

We encourage all customers to regularly upgrade to the latest Duo Authentication Proxy release to receive feature and security updates.

Version 6.0.0 - June 7, 2023

• NTLM1 is disabled in FIPS mode, and deprecated in non-FIPS mode.
• Linux installer now supports ARM64/AARCH64 in addition to the existing AMD64/x64 support.
• Updated Cryptography to 40.0.2 to address CVE-2020-25659 and CVE-2020-36242.
• Updated OpenSSL to 3.1.1.
• Updated Python to 3.8.16 to address CVE-2022-26488, CVE-2016-3189, CVE-2019-12900, CVE-2018-25032, CVE-2020-10735, and CVE-2022-37454.

Version 5.8.1 - May 10, 2023

• Fixed an issue where SSO logins that timed out would be incorrectly interpreted as bad credentials.
• Fixed an issue where the configuration check would no longer incorrectly report a problem with the transport value of an ad_client section if ssl_verify_hostname is not specified.

Version 5.8.0 - February 15, 2023

• Removes git commit hashes from binaries and folder names.
• The authproxy_support script now honors the log_dir configured in [main] section of authproxy.cfg; --log-dir script argument removed.
• Sends a user's distinguishedName (DN) back to Duo Single Sign-On on a failed SSO AD authentication.
• Nested conf directories underneath the Authentication Proxy's conf directory are no longer valid (i.e. /opt/duoauthproxy/conf/conf/certs.crt).
• Fixed a bug causing Proxy-State to be duplicated in RADIUS responses.
• Updated to Twisted 22.4.0 to resolve CVE-2022-24801.
• Additional bug fixes and enhancements.

Version 5.7.4 - November 8, 2022

• Improved logging for LDAP timeouts.
• The Authentication Proxy Manager and connectivity tool now warn against use of 'clear' transport in ad_client with certificates specified.
• Removes the misleading no reply message in packet RADIUS error message to reduce confusion while troubleshooting authentication failures.
• No longer duplicates the proxy-state RADIUS attribute when both the RADIUS client and server configuration sections specify pass_through_all=true.
• The connectivity tool no longer exits prematurely when it fails to connect to a RADIUS server that is not running.
• Fixed an issue that could result in multiple redundant connections to the Duo SSO service in certain race conditions.

Version 5.7.3 - August 30, 2022

• Corrected an issue where the Authentication Proxy incorrectly included a reply message in EAP packets.

Version 5.7.2 - June 23, 2022

• Fixed an issue where make would not build the Authentication Proxy if TERM_PROGRAM was set on Linux.
• Removed extraneous dependencies.

Version 5.7.1 - May 26, 2022

• Updated to Python 3.8.12 to resolve CVE-2020-14422 and CVE-2021-29921.

Version 5.7.0 - May 9, 2022

• Twisted has been updated to include the fix for CVE-2022-21712.
• The Windows Authentication Proxy binaries are now all signed.
• Added LimitNOFILE option to the Linux Authentication Proxy systemd init script to maximize authentication performance.
• Fixed traceback when the last [cloud] section is invalid.

Version 5.6.1 - March 28, 2022

• OpenSSL has been updated to include the fix for CVE-2022-0778.
• The Authentication Proxy Manager now correctly recognizes error return codes for unparseable configuration files.
• The Authentication Proxy Manager now correctly recognizes api_host entries with multiple hyphens as valid.

Version 5.6.0 - February 14, 2022

• The Windows Authentication Proxy now ships with the Duo Authentication Proxy Manager. This tool allows for configuring the Authentication Proxy, validating the configuration, and starting or stopping the Authentication Proxy service.
• The authproxy_connectivity_tool now exits with code 2 if there were connectivity issues.
• The Linux Authentication Proxy installer now prompts the user to ask if the SELinux module should be installed if run interactively, and accepts --enable-selinux=yes|no at the command line.
• Fixed a bug causing the SELinux module installation to not work with custom installation directories.

Version 5.5.1 - January 19, 2022

• Introduced initial support for multiple Active Directory authentication sources with Duo Single Sign-On.
• An invalid [cloud] section in authproxy.cfg no longer interferes with other valid [cloud] configuration sections.
• Fixes an issue that caused the Authentication Proxy not to reconnect to Duo automatically for SSO and Directory Sync after a period of degraded network connectivity.
• The Linux installer correctly expands tilde characters in the install path.
• Mutes excessive tracebacks caused by rapidly opening and then closing incoming connections to ldap_server_auto configured with ad_client.
• The Linux installation script creates the necessary SELinux configuration (if appropriate) to allow start of the Authentication Proxy with systemd.

Version 5.5.0 - October 13, 2021

• Adds support for Duo Single Sign-On expired password resets.
• Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2x to address the NULL pointer dereference issue described in CVE-2020-1971.
• Verified on Windows Server 2022.

Version 5.4.1 - September 15, 2021

• Fixes a spurious "no service account username is provided" warning from the connectivity tool when using Windows integrated authentication (SSPI).
• Now reports the error code during SSPI negotiation failure.
• Strips leading or trailing whitespace from RADIUS usernames during radius_iframe authentications.
• Restricts access to the Authentication Proxy bin folder on Windows at installation.
• Upgrades a third-party library to address memory leaks during authentications.

Version 5.4.0 - July 22, 2021

• Now suppresses system restarts by the Microsoft Visual C++ Redistributable installer during Authentication Proxy installation on Windows.
• Improves the error messaging when user msds-principalname lookups fail.
• The configuration checking performed by the connectivity tool now reports common misconfigurations for service account and authentication type combinations.
• Improves the log messaging when the Authentication Proxy attempts to determine use of password and factor concatenation.
• Improves the error messaging when LDAP authentications fail because the service account bind failed.
• The SIEM logging output to authevents.log now includes the client section name whenever possible.
• The Windows-only password encryption utility now also decrypts previously-encrypted passwords in a configuration file.

Version 5.3.1 - July 7, 2021

• Corrects an issue running the connectivity tool on Windows while the Authentication Proxy itself was running.
• Fixes a condition that caused incorrectly-colored connectivity tool output.
• Updates the Authentication Proxy's Windows service error exit code from 1 to 575.

Version 5.3.0 - April 26, 2021

• Timestamps in authproxy.log output now show milliseconds.
• The authproxy_passwd tool now preserves comments when encrypting all passwords and secrets in the authproxy.cfg file with the --whole-config option.
• When security_group_dn is defined in an ad_client section, the connectivity tool confirms that an LDAP search for the group distinguished name returns a result.
• Fixes the connectivity tool's error detection for mismatched TLS certificate keypairs.
• When upgrading an existing install, the Authentication Proxy installer runs the connectivity tool to validate your configuration for correctness.

Version 5.2.2 - April 12, 2021

• Corrects logging message when SSL certificate and key did not match.
• RADIUS timeouts logging reports correct information about what servers have been contacted.
• The connectivity tool warning about RADIUS server availability is now displayed in yellow text.
• Adds a default timeout for ping calls during proxy connection issues to Duo.
• Suppresses error messages about quickly-terminated LDAP connections.

Version 5.2.1 - March 25, 2021

• Addresses an elevation of privilege vulnerability in the Duo Authentication Proxy for Windows installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2021-1492). The vulnerability was limited to the Windows installer only, and did not affect the application once installed. This vulnerability does not apply to any version of Duo Authentication Proxy for Linux.

Version 5.2.0 - February 2, 2021

• Adds support for multiple [cloud] sections, which enables a single Duo Authentication Proxy to service more than one Active Directory or OpenLDAP directory sync. Learn more.
• The connectivity tool now displays warnings in yellow.
• Improved error messaging when a User-Password attribute is missing in challenge response for radius_server_challenge.
• Corrected an issue preventing silent install on Windows.
• LDAP channel binding no longer fails when the server's certificate uses the RSASSA-PSS signature algorithm.
• Fixed a bug causing authentications to fail when using SMS as a second factor with radius_server_eap.
• Fixed a bug where local versions of Python packages interfered with Duo Authentication install on Linux.
• The connectivity tool now utilizes the configured HTTP proxy.
• Adds support for additional EAP and PEAP authentication methods like EAP-MSCHAPv2 in radius_server_auto.

Version 5.1.1 - November 23, 2020

• Fixed a bug causing MPPE key decryption to fail when MPPE was used with an EAP-message attribute.
• Addresses an issue in prior v5.x.x releases where the running proxy stops responding to incoming RADIUS requests.
• Added the Microsoft Visual C++ 2015-2019 Redistributable to the Windows Authentication proxy installer to ensure all required DLLs are present on the target system.

Version 5.1.0 - November 4, 2020

• Adds the authproxyctl executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window.
• The Windows installer now starts the Duo Authentication Proxy after a version upgrade if the service was running when the upgrade started.
• Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2w to address CVE-2020-1968.
• The connectivity tool now checks for newer versions of the Authentication Proxy.
• The default authproxy.cfg file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad.
• Improved error messaging when unable to establish an SSL connection when using FIPS mode.
• Improved error messaging when a StartTLS connection can not be established for Directory Sync or Duo Single Sign-On (SSO).
• Improved error messaging for Directory Sync and Duo SSO when attempting to use the "Integrated" authentication type with a Linux Authentication Proxy.
• The minimum_tls_version option now accepts mixed-case values.
• The connectivity tool no longer incorrectly reports an error when pass_through_attr_names is used with [radius_client].
• Corrected an issue where SSL verification was disabled if an empty or invalid file was provided for ssl_ca_certs_file.
• An exception no longer occurs if a non-string username attribute is used with Duo SSO.
• RADIUS authentications no longer fail if some MPPE attributes are present but the Send Key and Receive Key are missing.
• Fixed a bug causing the Authentication Proxy to parse values in the configuration file as multi-line values if they were accidentally indented.
• Corrected an issue where installed files did not have the correct permissions on Linux.

Version 5.0.2 - September 28, 2020

• No longer adds Message-Authenticator to RADIUS packets where it was not already present.
• Fixed an issue preventing Authentication Proxy startup when using the pass_through_attr_names RADIUS setting. Note that the pass_through_attr_names and pass_through_all options are only valid when used with radius_client; specifying these parameters for RADIUS server sections that make use of ad_client or duo_only_client prevents the Authentication Proxy service from starting.

Version 5.0.1 - September 3, 2020

• Corrects an issue causing incorrect Message-Authenticator values when configured as a RADIUS pass-through attribute.

Version 5.0.0 - August 17, 2020

• The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.

  The installation file path has changed accordingly, from C:\Program Files (x86)\Duo Security Authentication Proxy in previous versions to C:\Program Files\Duo Security Authentication Proxy. If your authproxy.cfg file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.

  This change has no effect on Authentication Proxy releases for Linux.

• Primary LDAP authentication with [ad_client] now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with the auth_type=sspi option.

• Primary LDAP authentication with [ad_client] now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for the ntlm2 and sspi authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details.

• Extends LDAP channel binding support to NTLMv2 authentication.

• LDAP anonymous bind identification now conforms with LDAP RFC 4513.

• Now supports LDAP binds using samAccountName and Common Name CN style usernames, including for exempt_ou username to Distinguished Name DN match.

• The connectivity tool issues a warning when the [ad_client] authentication type is sspi (Windows integrated) and LDAP account username/password are also provided.

• Now consistently respects the order of the factors specified via the factors optional setting for [radius_server_auto] and [ldap_server_auto].

• RADIUS authentication now handles MPPE responses properly per RFC 2548.

• RADIUS authenticator and Message-Authenticator verification succeeds when a packet includes multiple non-adjacent attributes of the same type.

• Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.

• Logging enhancements.

Version 4.0.2 - July 22, 2020

• Updated the embedded Python version to 3.8.4, to address Python CVE-2020-1552. We urge that customers running v4.0.0 or v4.0.1 upgrade to this version.
• This is the last 32-bit Authentication Proxy release.

Version 4.0.1 - June 10, 2020

• Fixed a bug where certain vendor-specific RADIUS attributes were not passed through correctly.
• The Authentication Proxy will not attempt to constantly connect to the Duo Single Sign-on service with expired credentials.
• Fixed a bug with binary LDAP attributes that caused certain authentications to fail.
• Fixed a bug that caused the Windows authproxy_passwd tool to fail for secrets containing the % character.
• The error output when the Authentication Proxy cannot start TLS encryption due to missing configuration is clearer.

Version 4.0.0 - May 11, 2020

• The Authentication Proxy is now packaged with and runs on Python 3.
• When installed on Windows, directory permissions restrict access to the conf directory to the built-in Administrators group.
• Improved directory sync performance when syncing large groups from Active Directory.
• Fixed a bug causing RADIUS authentications to fail for usernames with non-ASCII characters.
• Duo application ikey values are now properly captured in the authentication log during RADIUS authentication.

Version 3.2.4 - March 17, 2020

• Full support for unicode usernames and passwords when used for Duo Single Sign-On authentication to Active Directory.

Version 3.2.3 - March 10, 2020

• RADIUS Challenge responses now correctly include Proxy-State attribute values.

Version 3.2.2 - February 25, 2020

• Fixed a bug causing NTLM and SSPI authentications to fail in rare cases.
• Support for Windows Server 2008 R2 ended in January 2020. The minimum supported Windows version is Windows Server 2012. Future releases of the Authentication Proxy may not function on unsupported operating systems.

Version 3.2.1 - December 2019

• Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

Version 3.2.0 - December 2019

• Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
• The primarygroup is now checked when determining if an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
• Added support for LDAPCompareRequest LDAP message when the proxy is acting as an LDAP server.
• Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
• Ignores service account credentials when using the "Integrated" (SSPI) authentication type for the Authentication Proxy's connection to your AD Authentication source to support Duo Single Sign-On. If provided in the [cloud] config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI.
• Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
• Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
• The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
• Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
• Bug fixes and enhancements to the connectivity tool.

Version 3.1.1 - September 2019

• Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.

Version 3.1.0 - July 2019

• New delimited_password_length optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character.
• Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
• The authproxy_support tool reports the full path to the generated output file.
• Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
• Allows mixed-case values for the prompt, type, and failmode configuration settings.
• Logging of RADIUS and LDAP messages now contain the username.

Version 3.0.0 - March 2019

• Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
• Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
• Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
• Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
• Fixed a bug that caused errors when clients connected and disconnected very quickly.
• Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

• Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
• Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
• Improved logging during Active Directory or OpenLDAP directory synchronization.
• Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

• Colorized the output of the connectivity tool when run interactively for better readability.
• Improvements and additions to the connectivity tool configuration and validation checks, including validation of dependencies across sections.
• The connectivity tool now uses your configured http_proxy_host to test connections.
• Improved logging for security and debugging purposes.

Version 2.12.1 - January 2019

• Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

• Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
• OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
• Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
• The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
• FIPS mode for Windows and Linux.
• Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

• Added support for channel binding validation during LDAP authentication over SSL/TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
• The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
• Corrected an installation issue on Linux systems due to the PYTHON environment variable.
• Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

• Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

• Added a new flag to authproxy_passwd that allows you to encrypt all the passwords and secrets in the configuration at once.
• Fix bug in Authentication Proxy Connectivity Tool that caused us to report an incorrect time drift.
• Added 2fa factor used to the SIEM digestible log output (authevents.log).
• Simplified example content in the authproxy.cfg file shown at first use.

Version 2.9.0 - May 2018

• Introduced new connectivity troubleshooting tool.
• Python 2.7 now bundled with Authentication Proxy install.
• The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
• Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well.

Version 2.8.1 - March 2018

• Corrected issue with EAP and TLS 1.2 for NetMotion EAP clients.
• Released for Windows only.

Version 2.7.0 - December 2017

• Supports OpenSSL 1.1.0.
• New LDAP server option: allow_unlimited_binds.
• Additional bug fixes.

Version 2.6.0 - October 2017

• Password authentication for OpenLDAP and AD sync.
• Fixed bug that caused an authentication event to be logged twice in authevents.log.
• Additional bug fixes.

Version 2.5.4 - August 2017

• SIEM-consumable authentication event logging with new configuration option log_auth_events.
• Corrected ad_client host failover behavior when using ldap_server_auto.
• Additional bug fixes.

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

• Linux logging fix
• Bug fixes

Version 2.4.20 - February 2017

• Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

• LDAPS bug fixes

Version 2.4.18 - December 2016

• Ease-of-use improvements to authproxy.cfg file
• Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
• RADIUS and LDAP bug fixes
• Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

• Enhanced authentication proxy configuration reporting to Duo
• Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

• Fixed handling of missing LDAP passwords (DUO-PSA-2016-001)

Version 2.4.15 - May 2016

• Debug logging to file obscures password information
• Improved handling of NTLM and UPN Active Directory authentication
• Improved handling of mixed format line endings in the config file
• Checks config file for duplicate sections at proxy start

Version 2.4.14.1 - February 2016

• Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

• New LDAP server option: allow_searches_after_bind
• Updated EULA

Version 2.4.13 - November 2015

• Added support for proxying HTTPS traffic from Duo client applications: http_proxy

Version 2.4.12 - August 2015

• Updated to OpenSSL 1.0.1p
• Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

• Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

• Updated to OpenSSL 1.0.1l
• LDAP enhancements and improved logging
• Fix proxy startup on Ubuntu LTS
• New RADIUS exemption option: exempt_username_1
• RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

• Improved logging
• AD Sync improvements

Version 2.4.8 - November 2014

• AD Sync connection detection

Version 2.4.7 - November 2014

• Fixes for Linux hosts

Version 2.4.6 - October 2014

• Updated to OpenSSL 1.0.1j
• AD Sync performance enhancement

Version 2.4.5 - September 2014

• AD domain discovery feature in ad_client: domain_discovery
• AD Sync improvements

Version 2.4.4 - August 2014

• AD Sync improvements
• Fix LDAP filter extensions

Version 2.4.3 - July 2014

• Update ad_client time out logic
• RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

• Updated to OpenSSL 1.0.1h
• TLS 1.2 support
• HTTPS proxy support for AD Sync
• Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility