Authproxy
Duo Authentication Proxy Reference
Many of Duo’s application integrations do not require any local components. However, certain services do require a local Authentication Proxy service. This document contains a comprehensive reference of configuration options available for the proxy.
Note
Quick-start guides for installing and configuring the proxy can be found in each of the specific application documentation pages (e. g. Cisco ASA, Citrix Netscaler, or F5) and the generic instructions for RADIUS or LDAP. We recommend starting with the instructions for your device or use case, and then using this page if you need advanced configuration options to support your device or service.
Overview
The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc. ), the Duo proxy returns access approval to the requesting device or application.
Connectivity Requirements
The Authentication Proxy communicates with Duo’s service on TCP port 443. Firewall configurations that restrict outbound access to Duo’s service with rules using destination IP addresses or IP address ranges aren’t recommended, since these may change over time to maintain our service’s high availability. If your organization requires IP-based rules, please review this Duo KB article.
In addition to providing two-factor authentication, the Duo Authentication Proxy is a required component for importing Active Directory or OpenLDAP users into Duo via sync, Active Directory authentication for Duo Single Sign-On, and can also act as an HTTP proxy itself for other systems that also need to contact Duo’s cloud service.
Installation
New Proxy Install
Locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports these operating systems:
Windows Server 2012 or later (Server 2016+ recommended)
CentOS 7 or later (CentOS 8+ recommended)
Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
Ubuntu 16. 04 or later (Ubuntu 18. 04+ recommended)
Debian 7 or later (Debian 9+ recommended)
The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).
Windows
Linux
Download the most recent Authentication Proxy for Windows from. Note that the actual filename will reflect the version e. View checksums for Duo downloads here.
Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.
To perform a silent install on Windows, issue the following from an elevated command prompt after downloading the installer (replacing version with the actual version you downloaded):
/S
Ensure that Perl and a compiler toolchain are installed. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install these by running (as root):
$ yum install gcc make libffi-devel perl zlib-devel diffutils
On Debian-derived systems, install these dependencies by running (as root):
$ apt-get install build-essential libffi-dev perl zlib1g-dev
Download the most recent Authentication Proxy for Unix from. Depending on your download method, the actual filename may reflect the version e. View checksums for Duo downloads here.
Extract the Authentication Proxy files and build it as follows:
$ tar xzf
$ cd duoauthproxy-version-src
$ make
Install the authentication proxy (as root):
$ cd duoauthproxy-build
$. /install
Follow the prompts to complete the installation. The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own.
If you ever need to uninstall the proxy, run /opt/duoauthproxy/uninstall.
You need to add your authentication and application information to the default configuration file before you can start the Duo Authentication Proxy service.
Upgrading the Proxy
To upgrade the Duo Authentication Proxy, simply download the most recent version and install over your current running version. The installer preserves your current configuration and log files when upgrading to the latest release. Consider making a backup copy before running the upgrade, securing it as you would your running config file (as the backup file will also contain your passwords and secrets). The relevant directories are:
Operating System
AuthenticationProxy Version
Path
v5. 0. 0 and later
C:Program FilesDuo Security Authentication Proxyconf and C:Program FilesDuo Security Authentication Proxylog
v4. 2 and earlier
C:Program Files (x86)Duo Security Authentication Proxyconf and C:Program Files (x86)Duo Security Authentication Proxylog
All
/opt/duoauthproxy/conf and /opt/duoauthproxy/log
Duo Authentication Proxy 5. 0 is the first 64-bit release for Windows. When upgrading from older 32-bit releases to 5. 0 or later, the installer migrates the contents of your existing conf and log directories to the 64-bit installation destination at C:Program FilesDuo Security Authentication Proxy and removes the C:Program Files (x86)Duo Security Authentication Proxy directory.
Launch the Authentication Proxy installer as a user with administrator rights (close the Event Viewer first if you have it open) and follow the prompts to update your existing Authentication Proxy software. The upgrade retains the conf and log folders and contents from your current installation.
To perform a silent upgrade install on Windows, issue the following from an elevated command prompt after downloading the installer (replacing version with the actual version you downloaded):
Note: If you previously changed the properties of the “Duo Security Authentication Proxy Service” to run as a named domain account, be aware that the service will revert to running as “Local System” after the upgrade. Repeat the process to change the service back to using a named domain service account before starting the service.
If the Duo Authentication Proxy service was running when you started the upgrade, the installer attempts to restart the proxy service after the upgrade completes. If the service was not running when you started the upgrade (or if service startup encountered an error requiring correction before starting), you’ll need to start the Authentication Proxy service. From an administrator command prompt run:
net start duoauthproxy
Or, open the “Services” console (), locate the “Duo Security Authentication Proxy Service” in the list of services and click on it to select, and then click the start button.
Authentication Proxy v5. 1. 0 and later includes the authproxyctl executable, which shows the connectivity tool output when starting the service. The installer adds the Authentication Proxy C:Program FilesDuo Security Authentication Proxybin to your system path automatically, so you should not need to specify the full path to authproxyctl to run it.
From an administrator command prompt run:
authproxyctl start
The most recent Authentication Proxy version may have additional prerequisites beyond those installed for your current running version. On most recent RPM-based distributions — like Fedora, RedHat Enterprise, and CentOS — you can install (or verify the presence of) these by running (as root):
$ apt-get install build-essential libssl-dev libffi-dev
Extract the Authentication Proxy files
tar xzf
and change directory to the extracted source
cd duoauthproxy-5. 5. 0-src
Run make to build the Authentication Proxy installer.
Change directory to the newly built installer
cd duoauthproxy-build
and run the installer. /install
Follow the installation prompts to update your existing Authentication Proxy software. The upgrade retains the conf and log folders and contents from your current installation.
The installer creates a user to run the proxy service and a group to own the log directory and files. You can accept the default user and group names or enter your own.
Start the new Authentication Proxy service
/opt/duoauthproxy/bin/authproxyctl start
To install the Duo proxy silently with the default options, use the following command:
sudo. /duoauthproxy-build/install –install-dir /opt/duoauthproxy –service-user duo_authproxy_svc –log-group duo_authproxy_grp –create-init-script yes
Configuration
The Duo Authentication Proxy configuration file is named, and located in the conf subdirectory of the proxy installation.
C:Program FilesDuo Security Authentication Proxyconf
C:Program Files (x86)Duo Security Authentication Proxyconf
/opt/duoauthproxy/conf
Version 4. 0 and later restricts the default file access for the conf directory to the Windows built-in “Administrators” group during installation. Version 5. 4. 1 and later also applies the same “Administrators” default file access permissions for the bin directory.
The configuration file is formatted as a simple ‘INI’ file. Section headings appear as:
[section]
Individual properties beneath a section appear as:
name=value
Section headings and section specific parameters should be lowercase. You may comment out lines in the cfg file by prepending the line with REM, #, or;. As the semicolon character; and octothorp character # are interpreted as the beginning of a comment, do not use any secrets or passwords in your config that contain these characters as this may cause truncation of the password or secret at the comment character.
All relative paths specified in the configuration path are relative to the root proxy installation directory. For example, the default value for the main section’s ‘log_dir’ configuration option is ‘log’ (as documented below). Given a default install location on Windows Server 2019, the log directory location is:
C:Program FilesDuo Security Authentication Proxylog
Important: If you modify your configuration, you’ll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.
Encrypting Passwords
When running the Authentication Proxy on Windows, you may use encrypted alternatives for all service account passwords, Duo secret keys, and RADIUS secrets if you do not want to store them as plain text. Use the program, located in the bin directory of your Authentication Proxy installation.
The encrypted password or secret is specific to the server that generated it, and will not work if copied to a different machine. If you have multiple Authentication Proxy servers, be sure to run separately on each one.
Execute the from Windows Command Prompt, and provide the password or secret to encrypt when prompted.
c:>”C:Program FilesDuo Security Authentication Proxybin”