Duo Authentication Proxy Configuration

The DUO authentication proxy is a quick and easy way for a business to start to test 2FA with certain important applications. A lot of software doesn’t have 2FA built in, but does offer some LDAP user/group authentication. Software such as HPE Oneview, HPE c7000/3000 chassis, HPE SSMC, Graylog, etc offer only simple ldap authentication. The use of the DUO authentication proxy enables all of these applications to utilize 2FA for authentication if the application offers you the ability to increase the ldap timeout to 60 seconds. Some applications allow you to modify their ldap timeout value, but others do not.  Graylog for example does allow you to modify the ldap timeout value, but the new version works with DUO using the default configuration.

The duo authentication proxy for the most part is pretty easy to setup. However, as soon as you start adding certificates, troubleshooting issues start to become a problem.  The good thing is that general troubleshooting is not that difficult if you enable debug logging within the authproxy.cfg file.

  1. Create a free DUO account by going to: https://signup.duo.com/
  2. Install the latest version of the authentication proxy by using the following guide:https://duo.com/docs/authproxy_reference

Use Case Scenario: LDAPS Authentication Proxy

I currently have a load balanced ldaps service that points to each of my Active Directory Domain Controllers. All of my ldap applications point to this load balanced service for their configuration.I started testing the DUO auth proxy by running the service without certificates to start, to test the configuration, and then if certain applications worked with 2FA, certificates would then be added later.  A sample configuration of my DUO auth ldap proxy service is as follows:

The Duo Authentication Proxy configuration file is named authproxy.cfg, and located in the ‘conf’ subdirectory of the proxy installation.

[main]
debug=true

[ad_client]
host=ldaps.contoso.com
service_account_username=duo_authentication_proxy
service_account_password_protected=myserviceaccountpassword
search_dn=OU=users,DC=contoso,DC=com
transport=ldaps
ssl_ca_certs_file=conf\myldapscert-SHA2.cer
port=636
ssl_verify_hostname=true
timeout=60

[ldap_server_auto]
ikey=myikey
skey=myskey
api_host=api-myapihost.duosecurity.com
failmode=safe
client=ad_client
port=636

Now you may notice a few things:

  1. I encrypted the service_account_password
  2. I have included my ssl_ca_certs_file for the ad_client section
  3. the ikey and skey keys are generated when you add the DUO ldap auth proxy application within the DUO admin interface.

In order to get the ssl_ca_certs file working properly, I had to add the entire certificate chain the my .cer file. The certificates I use contains 2 intermediate and 1 root ca certificate. I simply copied the entire certificate chain and pasted the chain above my public certificate in top down order. Before figuring out this certificate chain problem, the duo auth proxy service would fail to start.

Once I tested a few applications with my new DUO auth proxy, I decided to go ahead and add my own certificate to the Duo Auth Proxy and enable ssl connections.  My configuration is below.

ldaps configuration

[main]
debug=true

[ad_client]
host=ldaps.contoso.com
service_account_username=duo_authentication_proxy
service_account_password_protected=myserviceaccountpassword
search_dn=OU=users,DC=contoso,DC=com
transport=ldaps
ssl_ca_certs_file=conf\myldapscert-SHA2.cer
port=636
ssl_verify_hostname=true
timeout=60

[ldap_server_auto]
ikey=myikey
skey=myskey
api_host=api-myapihost.duosecurity.com
failmode=safe
client=ad_client
ssl_port=636
ssl_key_path=duoauthproxy.contoso.com.key
ssl_cert_path=duoauthproxy.contoso.com.cer

In order to get the ssl working properly, I had to add the entire certificate chain the my .cer file. The certificates I use contains 2 intermediate and 1 root ca certificate. I simply copied the entire certificate chain and pasted the chain below my public certificate. It might have been possible to add these certificates to the default http_ca_certs_file.Before figuring out this certificate chain problem, the duo auth proxy service would fail to start.

Good luck configuring your authentication proxy service, and I hope this helps anyone who might need help in the configuration.

Advertisements

About Parker Jardine

Manager of Systems Administration in the Information Technology Higher Education space. I enjoy biking, climbing, hockey, camping, mountaineering, hunting, paragliding, and just being outdoors. You can read my Make Magazine project articles about a diy solar panel and solar systems design in volumes 12 and 14.
This entry was posted in Duo 2FA, ldaps. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s