The typical Duo Proxy RADIUS agent is setup to use "Active Directory/LDAP [ad_client]". This method would require Leostream to send the password along with the username + PIN (or PUSH). However, in our MFA RADIUS authentication workflow, the password is never provided. Because of this, we will need to leverage the [duo_only_client] method - below is an example of the configuration file:
; Complete documentation about the Duo Auth Proxy can be found here:
; https://duo.com/docs/authproxy_reference
; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.
; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
;[main]
; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])
[duo_only_client]
;[ad_client]
;host=
;service_account_username=
;service_account_password=
;search_dn=
; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)
[radius_server_duo_only]
ikey=ikey
skey=skey
api_host=duoendpoint
radius_ip_1=broker_ip
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812
; https://duo.com/docs/authproxy_reference
; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.
; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
;[main]
; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])
[duo_only_client]
;[ad_client]
;host=
;service_account_username=
;service_account_password=
;search_dn=
; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)
[radius_server_duo_only]
ikey=ikey
skey=skey
api_host=duoendpoint
radius_ip_1=broker_ip
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812
Note: The default [ad_client] is commented out and is replaced by [duo_only_client]. [radius_server_duo_only] replaces the default [radius_server_auto]
© Copyright 2023 Leostream Corporation