The typical Duo Proxy RADIUS agent is setup to use "Active Directory/LDAP [ad_client]". This method would require Leostream to send the password along with the username + PIN (or PUSH). However, in our MFA RADIUS authentication workflow, the password is never provided. Because of this, we will need to leverage the [duo_only_client] method - below is an example of the configuration file:
 
; Complete documentation about the Duo Auth Proxy can be found here:
; https://duo.com/docs/authproxy_reference

; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.

; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
;[main]


; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])

[duo_only_client]

;[ad_client]
;host=
;service_account_username=
;service_account_password=
;search_dn=


; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)

[radius_server_duo_only]
ikey=ikey
skey=
skey
api_host=
duoendpoint
radius_ip_1=
broker_ip
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812
 
 
Note: The default [ad_client] is commented out and is replaced by [duo_only_client]. [radius_server_duo_only] replaces the default [radius_server_auto]