The typical Duo Proxy RADIUS agent is setup to use "Active Directory/LDAP [ad_client]". This method would require Leostream to send the password along with the username + PIN (or PUSH). However, in our MFA RADIUS authentication workflow, the password is never provided. Because of this, we will need to leverage the [duo_only_client] method - below is an example of the configuration file:
; Complete documentation about the Duo Auth Proxy can be found here:
; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.
; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])
; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)
Note: The default [ad_client] is commented out and is replaced by [duo_only_client]. [radius_server_duo_only] replaces the default [radius_server_auto]