Skip navigation
Documentation

Authentication Proxy - Reference

Many of Duo's application integrations do not require any local components. However, certain services do require a local Authentication Proxy service. This document contains a comprehensive reference of configuration options available for the proxy.

Note

Quick-start guides for installing and configuring the proxy can be found in each of the specific application documentation pages (e.g. Palo Alto, Citrix Netscaler, or F5) and the generic instructions for RADIUS or LDAP. We recommend starting there, or with the Authentication Proxy Overview, and then using this page if you need advanced configuration options to support your device or service.

Installation

New Proxy Install

Locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports Windows and Linux systems (in particular, we recommend Windows Server 2012 R2 or later, Red Hat Enterprise Linux 6 or later, CentOS 6 or later, or Debian 6 or later).

The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).

  1. Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe. Note that the actual filename will reflect the version e.g. duoauthproxy-2.6.0.exe.
  2. Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.
  1. Ensure that OpenSSL, Python 2.6 or 2.7 (including development headers and libraries), and a compiler toolchain are installed. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root):

    $ yum install gcc make openssl-devel python-devel libffi-devel

    On Debian-derived systems, install these dependencies by running (as root):

    $ apt-get install build-essential libssl-dev python-dev libffi-dev

    To ensure that your Python version will work with the Authentication Proxy, run:

    $ python --version

    If the output does not say "Python 2.6.x" or "Python 2.7.x", first take note that many distributions can support multiple versions of python simultaneously. If your python installation does not appear to be a supported version, try replacing "python" in the above command with "python2.6" or "python2.7". If neither of these work, then you will need to install a different version of Python. You may need to search additional repositories for your distribution (e.g. for Centos or Red Hat Enterprise Linux, Extra Packages for Enterprise Linux), or build Python from source.

  2. Download the most recent Authentication Proxy for Unix from https://dl.duosecurity.com/duoauthproxy-latest-src.tgz. Depending on your download method, the actual filename may reflect the version e.g. duoauthproxy-2.6.0-src.tgz.

  3. Extract the Authentication Proxy files and build it as follows:

    $ tar xzf duoauthproxy-latest-src.tgz
    $ cd duoauthproxy-version-src
    $ export PYTHON=python_command
    $ make
    Where python_command is the command to run a Python 2.6 or Python 2.7 interpreter (e.g. "python", "python2.6", "python2.7").
  4. Install the authentication proxy (as root):

    $ cd duoauthproxy-build
    $ ./install

    Follow the prompts to complete the installation.

If you ever need to uninstall the proxy, run /opt/duoauthproxy/uninstall.

You need to add your authentication and application information to the default configuration file before you can start the Duo Authentication Proxy service.

Upgrading the Proxy

To upgrade the Duo Authentication Proxy, simply download the most recent version and install over your currently running version. The installer preserves your current configuration and log files when upgrading to the latest release. If you would like to make a backup copy before running the upgrade the relevant directories are:

OS Path
Windows 64-bit C:\Program Files (x86)\Duo Security Authentication Proxy\log
-and-
C:\Program Files (x86)\Duo Security Authentication Proxy\conf
Windows 32-bit C:\Program Files\Duo Security Authentication Proxy\log
-and-
C:\Program Files\Duo Security Authentication Proxy\conf
Linux /opt/duoauthproxy/conf
-and-
/opt/duoauthproxy/log
  1. Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe. Note that the actual filename will reflect the version e.g. duoauthproxy-2.6.0.exe.
  2. Launch the Authentication Proxy installer as a user with administrator rights (close the Event Viewer first if you have it open) and follow the prompts to update your existing Authentication Proxy software. The upgrade retains the conf and log folders and contents from your current installation.

    If you previously changed the properties of the "Duo Security Authentication Proxy Service" to run as a named domain account, be aware that the service will revert to running as "Local System" after the upgrade. Repeat the process to change the service back to using a named domain service account before starting the service.

  3. Start the Authentication Proxy service. From an administrator command prompt run:

    net start duoauthproxy
    

    Or, open the "Services" console (services.msc), locate the "Duo Security Authentication Proxy Service" in the list of services and click on it to select, and then click the start button.

  1. Download the most recent Authentication Proxy for Unix from https://dl.duosecurity.com/duoauthproxy-latest-src.tgz. Depending on your download method, the actual filename may reflect the version e.g. duoauthproxy-2.6.0-src.tgz.
  2. The most recent Authentication Proxy version may have additional prerequisites beyond those installed for your current running version. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install (or verify the presence of) these by running (as root):

    $ yum install gcc make openssl-devel python-devel libffi-devel
    

    On Debian-derived systems, install these dependencies by running (as root):

    $ apt-get install build-essential libssl-dev python-dev libffi-dev
    
  3. Extract the Authentication Proxy files

    tar xzf duoauthproxy-latest-src.tgz
    

    and change directory to the extracted source

    cd duoauthproxy-2.6.0-src
    
  4. Set the PYTHON environment variable to the command used to run python i.e. python, python26, etc.

    export PYTHON=python
    
  5. Run make to build the Authentication Proxy installer.
  6. Change directory to the newly built installer

    cd duoauthproxy-build
    

    and run the installer

    ./install
    
  7. Follow the installation prompts to update your existing Authentication Proxy software. The upgrade retains the conf and log folders and contents from your current installation.
  8. Start the new Authentication Proxy service

    /opt/duoauthproxy/bin/authproxyctl start
    

Configuration

The Duo Authentication Proxy configuration file is named authproxy.cfg, and located in the 'conf' subdirectory of the proxy installation. For example, the default install location for the proxy on a Windows Server 2008 R2 x64 is 'C:\Program Files (x86)\Duo Security Authentication Proxy', so the path to the configuration file will be:

C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg

The configuration file is formatted as a simple 'INI' file. Section headings appear as:

[section]

Individual properties beneath a section appear as:

name=value

Section headings and section specific parameters should be lowercase.

All relative paths specified in the configuration path will be considered relative to the root proxy installation directory. For example, the default value for the main section's 'log_dir' configuration option is 'log' (as documented below). Given a default install location on Windows Server 2008 R2 x64, the log directory is located at:

C:\Program Files (x86)\Duo Security Authentication Proxy\log

If you modify your authproxy.cfg configuration, you'll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.

Encrypting Passwords

When running the Authentication Proxy on Windows, you may use encrypted alternatives for all service account passwords and RADIUS secrets if you do not want to store them as plain text. Use the authproxy_passwd.exe program, which can be found in the bin directory of your Authentication Proxy installation.

c:\>"C:\Program Files (x86)\Duo Security Authentication Proxy\bin\authproxy_passwd.exe"
Password:
Re-enter password:
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA5hII/4JlnEeB5xMBzB5D/wQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAd
ABvAC4AcAB5AAAAA2YAAMAAAAAQAAAA5AHAAdABvAC4AcAB5AAAAA2YAAMAAAAAQAAAASApm6tif+wDKj+Rt0UtQ9
QAAAAAEgAlnEeB5xMBzB5D/wQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAdABvQ8M7voQmwOOxqv91QmJs9QAAAAA
EgAAAoAAAABAAAACxWVslLxrlFOunUUeq+kg1CAAAAPFj+oygch2RFAAAAD9HgbRonCsy/GNx4M9FxSq/KJCq

Copy and paste the output into your configuration file and remove any line breaks. You may find it easier to redirect the command output to a file and then open the file in Notepad.

Note

The encrypted password or secret is specific to the server where it was generated, and will not work if copied to a different machine. If you have multiple Authentication Proxy servers, be sure to run authproxy_passwd.exe separately on each one.

When using encrypted passwords or secrets, use the "protected" version of the parameter:

Instead of... Use...
service_account_password service_account_password_protected
secret secret_protected
radius_secret_1, radius_secret_2, etc. radius_secret_protected_1, radius_secret_protected_2, etc.
skey skey_protected

Main Section

The [main] section is optional. It can be used to specify some global options, all of which are optional:

debug

Enable debug logging.

Default: 'false'

log_dir Directory in which to store log files. Default: "log".
log_auth_events

Output SIEM-consumable authentication events to an 'authevents.log' file located in the log_dir directory.

Default: 'false'

log_max_files

Maximum number of log files to create. If this is set to a value greater than 1, then when the current 'authproxy.log' or 'authevents.log' log files reach log_max_size, the proxy rotates the existing file out by renaming it 'authproxy.log.1' or 'authevents.log.1' (the existing '.log.1' becomes '.log.2', and so on; the oldest log file gets discarded), then start logging to a new, empty 'authproxy.log' or 'authevents.log' file.

Default: 6

log_max_size

Maximum file size of an individual 'authproxy' or 'authevents' log file, in bytes.

Default: 10485760 (10 megabytes)

log_file

Log to the log file specified during installation. Note: if log_file, log_stdout, and log_syslog are all false, then logs will be sent to log file. As a result, if nothing is specified in the main section, logging to log file will occur by default. Supported in version 2.4.2 or later.

Default: 'false'

log_stdout

Log to stdout. If log_auth_events is enabled, the SIEM-consumable event entries do not redirect to stdout.

Default: 'false'

log_syslog

Log to syslog. Only available for Unix systems. Supported in version 2.4.2 or later. If log_auth_events is enabled, the SIEM-consumable event entries do not redirect to syslog.

Default: 'false'

syslog_facility

The syslog_facility option sets the default facility for syslog messages that do not have a facility explicitly encoded. Only available for Unix systems. Supported in version 2.4.2 or later.

Default: LOG_USER

http_ca_certs_file

Location of ca-bundle.crt file.

Default: conf/ca-bundle.crt

interface

The IP address of the interface which Duo Authentication Proxy binds to.

Default: listen on all interfaces

http_proxy_host

Hostname or IP address of an HTTP proxy. If set, will be used for communicating with Duo Security's service. Must support the CONNECT protocol.

Default: do not use a proxy

http_proxy_port

Port to connect to on http_proxy_host.

Default: '80'

Example:

[main]
debug=true
log_max_files=10
log_max_size=20971520

Client Sections

You will need to include one or more of the following configuration sections. To configure more than one client configuration of the same type, append a number to the section name e.g. [ad_client2].

Client section headings should be lowercase.

ad_client

Add an [ad_client] section if you'd like to use an Active Directory domain controller to perform primary authentication. This section accepts the following options:

Required

host The hostname or IP address of your domain controller.
service_account_username The username of an account that has permission to read from your Active Directory database. We recommend creating a service account that has read-only access.
service_account_password

The password corresponding to service_account_username.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use service_account_password_protected instead.

search_dn

The LDAP distinguished name (DN) of an Active Directory container or organizational unit (OU) containing all of the users you wish to permit to log in. For example:

search_dn=DC=example,DC=com

Optional

host_2 The hostname or IP address of a secondary/fallback domain controller. You can add additional domain controllers as host_3, host_4, etc.
security_group_dn

To further restrict access, specify the LDAP distinguished name (DN) of a security group that contains the users who should be able to log in. Others users will not pass primary authentication. For example:

security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
Do not specify the DN of a group which is any user's AD primary group.
ldap_filter

Only users who match this LDAP filter will be permitted to log in. The filters should use standard LDAP filter syntax. Abbreviated example:

(|(memberOf=CN=Admin,CN=...)(memberOf=CN=VPN,CN=...))

If ldap_filter and security_group_dn are both set, users must match both in order to authenticate.

transport

This option can be used to enable SSL/TLS communication with your Active Directory server. The available options are:

"clear" Do not use SSL or TLS. (Default)
"ldaps" Wrap the entire LDAP connection in SSL. Unless you specify a custom port, this will cause the proxy to contact your Active Directory server on port 636 rather than 389.
"starttls" Open an unencrypted connection (to port 389, by default), but immediately send a "StartTLS" request to the Active Directory server.

The proxy defaults to "clear" communication because not all Active Directory server configurations will support SSL/TLS out-of-the-box. To enable either "ldaps" or "starttls", your Active Directory server must be configured with an SSL certificate, otherwise attempts to establish secure connections will fail.

If your Active Directory server is configured with an SSL certificate, we do recommend you select a choice other than "clear". (There should be little practical difference between "ldaps" and "startls", except the port number used). If you do, then you should also specify a value for the ssl_ca_certs_file option.

timeout

The maximum number of seconds the Authentication Proxy should wait before aborting a connection attempt to a domain controller and attempting to connect to the next fallback host (or returning an authentication failure if no more fallback hosts remain).

Default: 10

ssl_ca_certs_file

Path to a file containing the CA certificate(s) to be used to validate SSL/TLS connections to your Active Directory server. If you enable SSL/TLS connections to your Active Directory server, you should specify a value for this option. Certificates should be PEM-formatted.

By default, no certificate validation will be performed, which significantly compromises the security properties offered by SSL/TLS.

To obtain the CA certificate(s), view your AD domain controller's SSL certificate in the Local Computer's store using Certificates MMC snap-in and click on the Certification Path" tab. For each CA listed above the DC's certificate you'll need to select the certificate, click View Certificate, click the "Details" tab of the CA certificate, and click Copy to File. Use the Certificate Export Wizard to save the CA certificate as Base-64 encoded X.509.

ssl_verify_hostname

If set to "true", then when establishing an SSL/TLS connection to the Active Directory server, the proxy will ensure that the common name in the server-provided certificate matches the value specified in the host option.

If your Active Directory server uses a certificate with an incorrect common name, you may need to set this option to "false". However, this will somewhat reduce the security guarantees otherwise provided by the use of TLS/SSL.

Default: "true"

auth_type The authentication protocol to use with the Active Directory server. The available options are:
"ntlm2" Microsoft NTLM, version 2.
"ntlm1" Microsoft NTLM, version 1. Note that this protocol is considered insecure, and should not be used without enabling transport-layer security (see transport, above)
"plain" Plain LDAP authentication. This option should not be used without enabling transport-layer security (see 'transport', above). In addition, it requires that you specify a value for the bind_dn option.

Default: "ntlm2"

bind_dn

The full LDAP distinguished name of an account permitted to read from the Active Directory database. Typically, this would be the distinguished name of the user specified in service_account_username.

This option is required if auth_type is set to "plain".

ntlm_domain

Domain to provide when performing NTLM authentication. In most configurations, it should not be necessary to specify a value for this.

By default, the proxy will not specify a Domain.

ntlm_workstation

A workstation name to specify (identifying the proxy) when performing NTLM authentication. In most configurations, it should not be necessary to specify a value for this. By default, the proxy will not specify a workstation name.

port

Port on which to contact the domain controller. By default, port 636 will be used for LDAPS connections, and port 389 will be used for all others. Specify the Global Catalog port (e.g. 3268) to search a multi-domain forest.

username_attribute

LDAP attribute found on a user entry which contains the username to be sent to Duo during an authentication request. In most configurations, it should not be necessary to change this option from the default value.

Default: "sAMAccountName"

at_attribute

If a user logs in with a username containing an @ symbol, the proxy defaults to searching the userPrincipalName attribute for a match. If username_attribute is set to an LDAP attribute other than userPrincipalName whose values contain the @ symbol (such as mail), set this option to the same attribute used for username_attribute.

Default: "userPrincipalName"

Basic example:

[ad_client]
host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com

TLS-secured example:

[ad_client]
host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
transport=starttls
ssl_ca_certs_file=conf\example_com_ca.pem

In the second example, place example_com_ca.pem into the "conf" subdirectory of your Authentication Proxy installation.

radius_client

Use [radius_client] when the Authentication Proxy contacts another RADIUS server (like Microsoft NPS or Cisco ACS) to perform primary authentication. This section accepts the following options:

Required

host IP address of RADIUS server. You can add backup servers with host_2, host_3, etc.
secret

RADIUS secret shared between the proxy and the primary authentication server. If you add more than one RADIUS server (host, host_2, etc.) they all must use the same shared secret setting.

If you're on Windows and would like to encrypt this secret, see Encrypting Passwords and use secret_protected instead.

Optional

port The authentication port on your RADIUS server. By default, the proxy will attempt to contact your RADIUS server on port 1812. Use port_2, port_3, etc. to specify ports for the backup servers.
retries Number of retries to attempt before considering an authentication attempt to have failed. Default: 3
retry_wait Number of seconds to wait between retry attempts. Default: 2
nas_ip IP address to provide to the primary authentication server in the "NAS-IP-Address" attribute. By default, the proxy will attempt to determine its own IP address and use that.
pass_through_attr_names Comma-separated list of additional RADIUS attributes to pass through from the primary authentication to the device integrating with the Authentication Proxy when authentication is accepted. By default, the proxy will create a new Accept message without passing through any attributes.
pass_through_all If this option is set to "true", all RADIUS attributes set by the primary authentication server will be copied into RADIUS responses sent by the proxy. Default: "false"

For example:

[radius_client]
host=1.2.3.4
secret=thisisaradiussecret

duo_only_client

If your device supports separate configurations for primary and secondary authentication, you can use the Authentication Proxy for the secondary authentication and let your device handle primary authentication independently. To achieve this, add a new section called [duo_only_client] to your config file. This section has no additional properties to configure.

[duo_only_client]

Server Sections

Depending on which type of application you're configuring, you will need to include one or more of the following configuration sections. Each has a different impact on the end-user authentication experience.

  • RADIUS Auto
    The user's device and factor is automatically selected for each login. Users can also use the "passcode,factor" format to specify an alternate device and/or factor. This mode is recommended for most applications, and is compatible with almost all systems that support RADIUS authentication.
  • RADIUS iFrame
    Users will see a web-based authentication prompt. This mode is only available on supported devices, like Array, Citrix, and F5 SSL VPNs.
  • RADIUS Challenge
    Users will be presented with a textual challenge after entering their existing passwords. Note that not all systems supporting RADIUS authentication can support RADIUS challenges. However, for systems that do support challenges, this offers a cleaner and more flexible integration than RADIUS Concat (described next). Note: In most cases, we recommend RADIUS Auto instead of RADIUS Challenge.
  • RADIUS Concat
    Users will append a Duo passcode to their existing passwords. This mode should be compatible with almost any system that supports RADIUS authentication using the PAP mechanism. Note: In most cases, we recommend RADIUS Auto instead of RADIUS Concat.
  • RADIUS Duo Only
    Use a RADIUS integration which does not handle primary authentication credentials. The user's passcode or factor choice, encrypted using the PAP mechanism, is submitted for the RADIUS password.
  • LDAP Auto
    The factor is automatically selected for each login, instead of prompting the user. Users can also use the "passcode,factor" format to specify an alternate device and/or factor.

Multiple server configurations can be used by appending a number onto the end of the section name (e.g. `radius_server_auto1`, `radius_server_auto2`, etc.). Incoming requests will be filtered to a given server configuration based on IPs set in radius_ip_x in each server section.

RADIUS Auto

The user's device and factor is automatically selected for each login. This mode is compatible with almost all systems that support RADIUS authentication, including mechanisms like EAP. MSCHAP-v2 is supported when the client mechanism is radius_client.

  • If the password is encrypted with PAP: users may append a factor name or passcode after their existing passwords.
  • If there is no Duo factor appended or the password is encrypted with EAP: the factor is selected based on Duo's recommendation or the administrator's preferences.
  • If the password was encrypted with PAP and the administrator enables passcodes: the user may be prompted for a passcode with a RADIUS challenge. Otherwise, no RADIUS challenges are issued and only out-of-band factors (as opposed to token or passcode based authentication) are supported.

To use RADIUS Auto, add a [radius_server_auto] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
radius_ip_1

IP address or IP address range for RADIUS clients. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy. If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

radius_secret_1

The secret shared with RADIUS clients matching radius_ip_1.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_1 instead.

client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"ad_client" Use Active Directory for primary authentication. Make sure you have an [ad_client] section configured.
"radius_client" Use RADIUS for primary authentication. Make sure you have a [radius_client] section configured.
"duo_only_client" Do not perform primary authentication. Make sure you have a [duo_only_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

radius_ip_2 Addresses of an additional RADIUS client. Specify more as radius_ip_3, etc.
radius_secret_2

The secret shared with RADIUS clients matching radius_ip_2. Specify more as radius_secret_3, etc.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_2 (or radius_secret_protected_3, etc.) instead.

factors

List of factors ordered by preference. Separate each factor name with a comma (','). The first of these factors supported by a user's configured devices will be used to authenticate that user.

"auto" Use the out-of-band factor ("push" or "phone") recommended by Duo as the best for the user's devices. This is the default.
"push" Use Duo Push.
"phone" Call the user's phone.
"passcode" Send a RADIUS Access-Challenge message prompting the user to enter a passcode.
delimiter

Character (or string) which separates the primary authentication password from the Duo passcode or factor name. If a user's password contains this character, the Authentication Proxy will try interpreting it as an append-mode password, falling back to auto-factor selection if the part of the password before the delimiter is not valid for primary authentication.

This must be a character or string that can never appear within a Duo passcode or factor name. This generally means that punctuation marks are acceptable; alphanumeric characters are not.

By default, a comma (',') will be used as the delimiter.

allow_concat

If "false", never check for a delimiter in user passwords; always use auto-factor selection. Default: "true" (do check for the delimiter and an appended Duo factor or passcode).

api_timeout

Maximum time (in seconds) to wait for a response from the API server. Note that this time includes waiting for the user to respond to out-of-band factors ("push" or "phone"). If an authentication request is issued but not completed before this timeout is reached, the authentication attempt is rejected. Default: 0 (no timeout).

failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on port 1812.

interface

IP address of the network interface on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on all interfaces.

pass_through_attr_names

A comma separated list of RADIUS attribute names which, if sent to the Authentication Proxy from the peer, will be passed through to the primary RADIUS server. For example:

NAS-Identifier,Calling-Station-Id

By default, no attributes are passed through.

pass_through_all

If this option is set to "true", all RADIUS attributes the proxy receives in a request will be copied into requests sent to RADIUS primary authentication servers. Default: "false".

exempt_username_1

Specify a single username. Multi-factor authentication will not be required for this user. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate RADIUS connection. The exemptions should cover those service user(s). Requires version 2.4.10 or later.

exempt_username_2

Additional username to exempt from multi-factor authentication. Specified more exempt_username_3, exempt_username_4, etc. Requires version 2.4.10 or later.

For example:

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret
client=radius_client

RADIUS iFrame

Users will see a web-based authentication prompt. This mode is only available on supported devices, like Juniper, Cisco, and Array SSL VPNs.

To use RADIUS iFrame, add a [radius_server_iframe] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
radius_ip_1

IP address or IP address range for RADIUS clients. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy. If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

radius_secret_1

The secret shared with RADIUS clients matching radius_ip_1.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_1 instead.

type The type of device with which you are integrating. Options:
"array" Array SPX SSL-VPN
"barracuda" Barracuda Networks SSL VPN
"citrix" Citrix Access Gateway
"citrix_netscaler" Citrix NetScaler
"f5" F5 FirePass SSL VPN
"f5_bigip" F5 BIG-IP Access Policy Manager
"fortinet" Fortinet FortiGate SSL VPN
"juniper" Juniper IVE SSL VPN
"paloalto" Palo Alto Networks SSL-VPN
"sonicwall_sra" SonicWALL SRA SSL VPN
client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"ad_client" Use Active Directory for primary authentication. Make sure you have an [ad_client] section configured.
"radius_client" Use RADIUS for primary authentication. Make sure you have a [radius_client] section configured.
"duo_only_client" Do not perform primary authentication. Make sure you have a [duo_only_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

radius_ip_2 Addresses of an additional RADIUS client. Specify more as radius_ip_3, etc.
radius_secret_2

The secret shared with RADIUS clients matching radius_ip_2. Specify more as radius_secret_3, etc.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_2 (or radius_secret_protected_3, etc.) instead.

api_timeout

Maximum time (in seconds) to wait for a response from the API server. Default: 15 (8 for Citrix).

failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on port 1812.

interface

IP address of the network interface on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on all interfaces.

pass_through_attr_names

A comma separated list of RADIUS attribute names which, if sent to the Authentication Proxy from the peer, will be passed through to the primary RADIUS server. For example:

NAS-Identifier,Calling-Station-Id

By default, no attributes are passed through.

pass_through_all

If this option is set to "true", all RADIUS attributes the proxy receives in a request will be copied into requests sent to RADIUS primary authentication servers. Default: "false".

exempt_username_1

Specify a single username. Multi-factor authentication will not be required for this user. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate RADIUS connection. The exemptions should cover those service user(s). Requires version 2.4.10 or later.

exempt_username_2

Additional username to exempt from multi-factor authentication. Specified more exempt_username_3, exempt_username_4, etc. Requires version 2.4.10 or later.

For example:

[radius_server_iframe]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
type=citrix_netscaler
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret
client=radius_client

RADIUS Challenge

Users will be presented with a textual challenge after entering their existing passwords. Note that not all systems supporting RADIUS authentication can support RADIUS challenges. MSCHAP-v2 is supported when the client mechanism is radius_client.

To use RADIUS Challenge, add a [radius_server_challenge] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
radius_ip_1

IP address or IP address range for RADIUS clients. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy. If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

radius_secret_1

The secret shared with RADIUS clients matching radius_ip_1.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_1 instead.

client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"ad_client" Use Active Directory for primary authentication. Make sure you have an [ad_client] section configured.
"radius_client" Use RADIUS for primary authentication. Make sure you have a [radius_client] section configured.
"duo_only_client" Do not perform primary authentication. Make sure you have a [duo_only_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

radius_ip_2 Addresses of an additional RADIUS client. Specify more as radius_ip_3, etc.
radius_secret_2

The secret shared with RADIUS clients matching radius_ip_2. Specify more as radius_secret_3, etc.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_2 (or radius_secret_protected_3, etc.) instead.

prompt_format This controls how the Challenge message is formatted. Options
"console" The proxy will return the same textual prompt as would appear in Duo Unix, with lines separated by newline characters. This is most appropriate for console-based integrations, and might not work correctly with web-based logins (e.g. SSL VPN devices). This is the default.
"html" The proxy will return the same textual prompt as with the "console" option, but replace line breaks with HTML line-break (i.e. '<br />') tags. This is more likely to work correctly with web-based logins.
"short"

The proxy will format a simple, short textual-challenge message, listing only the available factor names (but not their descriptions).

The proxy will also fall back on this format if any of the other options were selected, but the message length exceeds the permissible length of a RADIUS challenge message.

enroll_challenge

The RADIUS specification allows for reply messages in both Access-Challenge and Access-Reject responses. However, many devices will only actually display the reply message if it appears in an Access-Challenge. Thus, while sending an Access-Reject response with the appropriate enrollment link would generally be more logical, using an Access-Challenge will provide broader compatibility.

If this option is set to "true", then when an unenrolled user logs in, the proxy will send back an enrollment message in a RADIUS Access-Challenge response, but deny any subsequent responses to the challenge. If set to "false", then the proxy will send back the enrollment message in an Access-Reject response.

Default: "true"

api_timeout

Maximum time (in seconds) to wait for a response from the API server. Note that this time includes waiting for the user to respond to out-of-band factors ("push" or "phone"). If an authentication request is issued but not completed before this timeout is reached, the authentication attempt is rejected. Default: 0 (no timeout).

failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on port 1812.

interface

IP address of the network interface on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on all interfaces.

pass_through_attr_names

A comma separated list of RADIUS attribute names which, if sent to the Authentication Proxy from the peer, will be passed through to the primary RADIUS server. For example:

NAS-Identifier,Calling-Station-Id

By default, no attributes are passed through.

pass_through_all

If this option is set to "true", all RADIUS attributes the proxy receives in a request will be copied into requests sent to RADIUS primary authentication servers. Default: "false".

exempt_username_1

Specify a single username. Multi-factor authentication will not be required for this user. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate RADIUS connection. The exemptions should cover those service user(s). Requires version 2.4.10 or later.

exempt_username_2

Additional username to exempt from multi-factor authentication. Specified more exempt_username_3, exempt_username_4, etc. Requires version 2.4.10 or later.

For example:

[radius_server_challenge]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret
client=radius_client
prompt_format=html

RADIUS Concat

Users will append a Duo passcode to their existing passwords. This mode should be compatible with almost any system that supports RADIUS authentication using the PAP mechanism.

To use RADIUS Concat, add a [radius_server_concat] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
radius_ip_1

IP address or IP address range for RADIUS clients. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy. If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

radius_secret_1

The secret shared with RADIUS clients matching radius_ip_1.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_1 instead.

client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"ad_client" Use Active Directory for primary authentication. Make sure you have an [ad_client] section configured.
"radius_client" Use RADIUS for primary authentication. Make sure you have a [radius_client] section configured.
"duo_only_client" Do not perform primary authentication. Make sure you have a [duo_only_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

radius_ip_2 Addresses of an additional RADIUS client. Specify more as radius_ip_3, etc.
radius_secret_2

The secret shared with RADIUS clients matching radius_ip_2. Specify more as radius_secret_3, etc.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_2 (or radius_secret_protected_3, etc.) instead.

delimiter

A character (or string) which separates the primary username from the Duo passcode or factor name. This must be a character or string that can never appear within a Duo passcode or factor name. This generally means that punctuation marks are acceptable; alphanumeric characters are not.

By default, a comma (',') will be used as the delimiter.

api_timeout

Maximum time (in seconds) to wait for a response from the API server. Note that this time includes waiting for the user to respond to out-of-band factors ("push" or "phone"). If an authentication request is issued but not completed before this timeout is reached, the authentication attempt is rejected. Default: 0 (no timeout).

failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on port 1812.

interface

IP address of the network interface on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on all interfaces.

pass_through_attr_names

A comma separated list of RADIUS attribute names which, if sent to the Authentication Proxy from the peer, will be passed through to the primary RADIUS server. For example:

NAS-Identifier,Calling-Station-Id

By default, no attributes are passed through.

pass_through_all

If this option is set to "true", all RADIUS attributes the proxy receives in a request will be copied into requests sent to RADIUS primary authentication servers. Default: "false".

exempt_username_1

Specify a single username. Multi-factor authentication will not be required for this user. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate RADIUS connection. The exemptions should cover those service user(s). Requires version 2.4.10 or later.

exempt_username_2

Additional username to exempt from multi-factor authentication. Specified more exempt_username_3, exempt_username_4, etc. Requires version 2.4.10 or later.

For example:

[radius_server_concat]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret
client=radius_client

RADIUS Duo Only

Use a RADIUS integration which does not handle primary authentication credentials. The user's passcode or factor choice, encrypted using the PAP mechanism, is submitted for the RADIUS password.

To use RADIUS Duo Only, add a [radius_server_duo_only] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
radius_ip_1

IP address or IP address range for RADIUS clients. Only clients with configured addresses and shared secrets will be allowed to send requests to the Authentication Proxy. If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

radius_secret_1

The secret shared with RADIUS clients matching radius_ip_1.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_1 instead.

client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"duo_only_client" Do not perform primary authentication. Make sure you have a [duo_only_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

radius_ip_2 Addresses of an additional RADIUS client. Specify more as radius_ip_3, etc.
radius_secret_2

The secret shared with RADIUS clients matching radius_ip_2. Specify more as radius_secret_3, etc.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use radius_secret_protected_2 (or radius_secret_protected_3, etc.) instead.

api_timeout

Maximum time (in seconds) to wait for a response from the API server. Note that this time includes waiting for the user to respond to out-of-band factors ("push" or "phone"). If an authentication request is issued but not completed before this timeout is reached, the authentication attempt is rejected. Default: 0 (no timeout).

failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on port 1812.

interface

IP address of the network interface on which to listen for incoming RADIUS Access Requests. By default, the proxy will listen on all interfaces.

pass_through_attr_names

A comma separated list of RADIUS attribute names which, if sent to the Authentication Proxy from the peer, will be passed through to the primary RADIUS server. For example:

NAS-Identifier,Calling-Station-Id

By default, no attributes are passed through.

pass_through_all

If this option is set to "true", all RADIUS attributes the proxy receives in a request will be copied into requests sent to RADIUS primary authentication servers. Default: "false".

exempt_username_1

Specify a single username. Multi-factor authentication will not be required for this user. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate RADIUS connection. The exemptions should cover those service user(s). Requires version 2.4.10 or later.

exempt_username_2

Additional username to exempt from multi-factor authentication. Specified more exempt_username_3, exempt_username_4, etc. Requires version 2.4.10 or later.

For example:

[radius_server_duo_only]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisalsoaradiussecret

LDAP Auto

Use this for an LDAP integration in which the factor is automatically detected for each login.

  • If using the LDAP "plain" authentication mechanism, users may append a factor name or passcode after their existing passwords.
  • If there is no Duo factor appended or if the password is encrypted with SASL, the factor is selected based on Duo's recommendation or the administrator's preferences.

To use LDAP Auto, add a [ldap_server_auto] section, which accepts the following options:

Required

ikey Your Duo integration key.
skey

Your Duo secret key.

If you're on Windows and would like to encrypt this password, see Encrypting Passwords and use skey_protected instead.

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”).
client

The mechanism that the Authentication Proxy should use to perform primary authentication. This should correspond with a "client" section elsewhere in the config file.

"ad_client" Use Active Directory for primary authentication. Make sure you have an [ad_client] section configured.

This parameter is optional if you only have one "client" section. If you have multiple, each "server" section should specify which "client" to use.

Optional

factors

List of factors ordered by preference. Separate each factor name with a comma (','). The first of these factors supported by a user's configured devices will be used to authenticate that user.

"auto" Use the out-of-band factor ("push" or "phone") recommended by Duo as the best for the user's devices. This is the default.
"push" Use Duo Push.
"phone" Call the user's phone.
"passcode" Send a RADIUS Access-Challenge message prompting the user to enter a passcode.
failmode Either "safe" or "secure":
"safe" In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
"secure" In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.
port

Port on which to listen for incoming LDAP connections. Default: 389

interface

IP address of the network interface on which to listen for incoming LDAP connections. By default, the proxy will listen on all interfaces.

ssl_port

If ssl_key_path and ssl_cert_path are present then the Authentication Proxy will listen for incoming LDAPS connections on this port. Default: 636

ssl_key_path

Path to PEM-formatted SSL/TLS private key. Both ssl_key_path and ssl_cert_path must be specified to listen for STARTTLS or LDAPS requests.

ssl_cert_path

Path to PEM-formatted SSL/TLS server certificate. Both ssl_key_path and ssl_cert_path must be specified to listen for STARTTLS or LDAPS requests.

exempt_primary_bind

If set to "true" (the default) then multi-factor authentication will not be performed for the first successful LDAP authentication in each connection. Use this if the device using the Authentication Proxy first connects as a service user and then authenticates the user who is logging in.

exempt_ou_1

Specify either the DN of a single user or an OU. Multi-factor authentication will not be required for these users. Set this option if the device using the Authentication Proxy first connects as a service user, disconnects, and then authenticates the user who is logging in with a separate LDAP connection. The exemptions should cover those service user(s).

exempt_ou_2

Additional OU or DN to exempt from multi-factor authentication. Specified more exempt_ou_3, exempt_ou_4, etc.

delimiter

Character (or string) which separates the primary username from the Duo passcode / factor name. If a user's password contains this character the Authentication Proxy will try interpreting it as an append-mode password, falling back to auto-factor selection if the part of the password before the delimiter is not valid for primary authentication.

This must be a character or string that can never appear within a Duo passcode or factor name. This generally means that punctuation marks are acceptable; alphanumeric characters are not.

By default, a comma (',') will be used as the delimiter.

allow_concat

If "false", always use auto-factor selection (never check for a delimiter in user passwords). Default: "true" (do check for the delimiter and an appended Duo factor or passcode).

allow_searches_after_bind

If "false", the incoming LDAP connection is disconnected immediately after a successful bind. Defaults to "true"; keep LDAP connection open after a successful bind to allow additional queries. The session is closed upon receiving a subsequent bind request. Requires Authentication Proxy version 2.4.14.

For example:

[ldap_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
ssl_key_path=ldap_server.key
ssl_cert_path=ldap_server.pem
client=ad_client

Cloud Section

The [cloud] section is a special configuration used only when importing users to Duo via OpenLDAP or Active Directory synchronization. See our AD Sync documentation or OpenLDAP sync documentation to learn more. Only one [cloud] may be present in the configuration file.

Required

ikey Directory sync integration key
skey Directory sync integration secret
api_host Directory sync API hostname
service_account_username The username of an account that has permission to read from your Active Directory or OpenLDAP directory. We recommend creating a service account that has read-only access. This parameter requires Authentication Proxy v2.6.0 or later, and is used with NTLMv1, NTLMv2, and Plain authentication.
service_account_password The password that corresponds to the service_account_username. This parameter requires Authentication Proxy v2.6.0 or later, and is used with NTLMv1, NTLMv2, and Plain authentication.

The values for the [cloud] section are provided on the directory's properties page in the Duo Admin Panel as a downloadable text file. Copy the information from that file and append it to your existing authproxy.cfg file.

Example for Integrated (SSPI) authentication:

[cloud]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com

Example for Plain authentication:

[cloud]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
service_account_username=duosync
service_account_password=Pass12345

HTTP Proxy Section

The [http_proxy] section configuration allows supported Duo applications to proxy HTTPS connections to Duo's cloud service through the Authentication Proxy server. This is useful in environments where client systems do not have direct Internet access to Duo. You must also configure the Duo application to use the Authentication Proxy server as an HTTP proxy. See that specific Duo application's documentation for proxy instructions. Supported in version 2.4.13 or later.

To use the HTTP proxy feature, add a [http_proxy] section, which accepts the following options:

Required

api_host Your Duo API hostname (e.g. “api-XXXXXXXX.duosecurity.com”). Use the hostname from the Duo application that will be connecting to Duo's service through your Authentication Proxy server.

Optional

port The port on which to accept incoming HTTP proxy connections. Default: 80
client_ip

Restricts inbound HTTP proxy connections to the specified IP address. If no client IPs are specified then the Authentication Proxy accepts HTTP proxy connections from any client.

This can be a single IP address (e.g. "1.2.3.4"), multiple client IPs separated by a comma (1.2.3.4,1.2.3.14,1.2.3.24), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).

Example:

[http_proxy]
api_host=api-XXXXXXXX.duosecurity.com
port=8080
client_ip=192.168.23.42,192.168.23.64

Multiple HTTP proxy configurations can be used by appending a number onto the end of the section name (e.g. http_proxy1, http_proxy2, etc.). The port must be unique for each http_proxy section. Incoming requests are filtered to a given proxy configuration based on the connection request's port, then optionally further restricted by the IPs listed in client_ip.

Start the Proxy

Open an Administrator command prompt and run:

net start DuoAuthProxy

Alternatvely, open the Windows Services console (services.msc), locate "Duo Security Authentication Proxy Service" in the list of services, and click the Start Service button.

If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.

If you see an error saying that the "service could not be started", open the Application Event Viewer and look for an Error from the source "DuoAuthProxy". The traceback may include a "ConfigError" that can help you find the source of the issue.

Stop and restart the Authentication Proxy service by either clicking the Restart Service button in the Windows Services console or issuing these commands from an Administrator command prompt:

net stop DuoAuthProxy & net start DuoAuthProxy

Open a root shell and run:

# /opt/duoauthproxy/bin/authproxyctl start

To ensure the proxy started successfully, run:

# /opt/duoauthproxy/bin/authproxyctl status

Authentication Proxy service output is written to the authproxy.log file, which can be found in the log subdirectory.

To stop and restart the Authentication Proxy, open a root shell and run:

# /opt/duoauthproxy/bin/authproxyctl restart

If you modify your authproxy.cfg configuration after initial setup, you'll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.

Troubleshooting

Need some help? Take a look at the Authentication Proxy Frequently Asked Questions (FAQ) page or try searching our Authentication Proxy Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free