Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Authentication Proxy - Release Notes

Release notes for recent Authentication Proxy versions.

Version 3.0.0 - March 2019

  • Now defaults to TLS 1.2 when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]). Opt into a lower TLS version with the minimum_tls_version configuration option.
  • Now creates a new user (default name duo_authproxy_svc) during installation to run the proxy server on Linux.
  • Now creates a new group (default name duo_authproxy_grp) during installation on Linux. This group owns the /opt/duoauthproxy/log folder and all of its files.
  • Fixed a bug that prevent the authproxy_support tool from being run from in any directory.
  • Fixed a bug that caused errors when clients connected and disconnected very quickly.
  • Fixed small bugs in the connectivity tool configuration validation.

Version 2.14.0 - February 2019

  • Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
  • Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
  • Improved logging during Active Directory or OpenLDAP directory synchronization.
  • Introduced support for [http_proxy] sections to use a configured interface.

Version 2.13.0 - January 2019

Version 2.12.1 - January 2019

  • Corrects an issue which prevented usage of unicode characters in the authproxy.cfg file.

Version 2.12.0 - January 2019

  • Introduces new configuration options minimum_tls_version and cipher_list for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap] or [ldap_server_auto]).
  • OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
  • Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
  • The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
  • FIPS mode for Windows and Linux.
  • Corrected an issue with logins from authorized networks not bypassing 2FA.

Version 2.11.0 - November 2018

  • Added support for channel binding validation during LDAP authentication over SSL\TLS on Windows Server. See KB 4034879 for more information about the LdapEnforceChannelBinding setting.
  • The connectivity troubleshooting tool now checks that the api_host in a [cloud] section is accessible.
  • Corrected an installation issue on Linux systems due to the PYTHON environment variable.
  • Reworded fail mode result messages to improve logging consistency.

Version 2.10.1 - September 2018

  • Corrected an installation issue on Linux systems.

Version 2.10.0 - September 2018

Version 2.9.0 - May 2018

  • Introduced new connectivity troubleshooting tool
  • Python 2.7 now bundled with Authentication Proxy install
  • The HTTP Proxy feature now accepts CIDR ranges as permitted client_ip values.
  • Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well

Version 2.8.1 - March 2018

Version 2.7.0 - December 2017

  • Supports OpenSSL 1.1.0
  • New LDAP server option: allow_unlimited_binds
  • Additional bug fixes

Version 2.6.0 - October 2017

This is the minimum required version for OpenLDAP sync and the minimum recommended version for AD sync.

  • Password authentication for OpenLDAP and AD sync
  • Fixed bug that caused an authentication event to be logged twice in authevents.log
  • Additional bug fixes

Version 2.5.4 - August 2017

  • SIEM-consumable authentication event logging with new configuration option log_auth_events
  • Corrected ad_client host failover behavior when using ldap_server_auto
  • Additional bug fixes

Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.

Version 2.4.21 - March 2017

  • Linux logging fix
  • Bug fixes

Version 2.4.20 - February 2017

  • Bug fix for premature TLS disconnect

Version 2.4.19 - December 2016

  • LDAPS bug fixes

Version 2.4.18 - December 2016

  • Ease-of-use improvements to authproxy.cfg file
  • Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
  • RADIUS and LDAP bug fixes
  • Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)

Version 2.4.17 - May 2016

  • Enhanced authentication proxy configuration reporting to Duo
  • Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)

Version 2.4.16 - May 2016

Version 2.4.15 - May 2016

  • Debug logging to file obscures password information
  • Improved handling of NTLM and UPN Active Directory authentication
  • Improved handling of mixed format line endings in the config file
  • Checks config file for duplicate sections at proxy start

Version 2.4.14.1 - February 2016

  • Directory Sync and HTTP Proxy bug fixes

Version 2.4.14 - December 2015

  • New LDAP server option: allow_searches_after_bind
  • Updated EULA

Version 2.4.13 - November 2015

Version 2.4.12 - August 2015

  • Updated to OpenSSL 1.0.1p
  • Handling for Palo Alto Client-IP attribute

Version 2.4.11 - March 2015

  • Updated to OpenSSL 1.0.1m

Version 2.4.10 - March 2015

  • Updated to OpenSSL 1.0.1l
  • LDAP enhancements and improved logging
  • Fix proxy startup on Ubuntu LTS
  • New RADIUS exemption option: exempt_username_1
  • RADIUS client Message-Authenticator validation

Version 2.4.9 - February 2015

This is the minimum required version for AD sync.

  • Improved logging
  • AD Sync improvements

Version 2.4.8 - November 2014

  • AD Sync connection detection

Version 2.4.7 - November 2014

  • Fixes for Linux hosts

Version 2.4.6 - October 2014

  • Updated to OpenSSL 1.0.1j
  • AD Sync performance enhancement

Version 2.4.5 - September 2014

  • AD domain discovery feature in ad_client: domain_discovery
  • AD Sync improvements

Version 2.4.4 - August 2014

  • AD Sync improvements
  • Fix LDAP filter extensions

Version 2.4.3 - July 2014

  • Update ad_client time out logic
  • RADIUS and LDAP bug fixes

Version 2.4.2 - June 2014

This is the minimum supported version.

  • Updated to OpenSSL 1.0.1h
  • TLS v1.2 support
  • HTTPS proxy support for AD Sync
  • Support for syslog forwarding (Linux/Unix only): log_file, log_syslog, syslog_facility

Ready to Get Started?

Sign Up Free