- [Cody] Hi, I'm Cody from Duo
Security, now part of Cisco. In this video, we are going
to show you how to install and configure your Duo
Authentication Proxy for a variety of usage
scenarios on Windows. The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications and performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform
secondary authentication. Once the user approves
the two-factor request, the proxy returns access approval to the requesting device or application. In addition to providing
two-factor authentication, the Duo Authentication Proxy
is a required component for importing Active
Directory or OpenLDAP users into Duo via Directory Sync, Active Directory authentication
for Duo Single Sign-On, and can also act as an HTTP proxy itself for other systems that need to
contact Duo's cloud service. The Duo Authentication Proxy is available on all Duo editions and can be installed and configured on Windows and Linux systems. Before watching the video,
please read the documentation at duo.com/docs/authproxy-reference. Let's begin with installation. In this video, we will be installing Duo Authentication Proxy version 5.2.0 on a Windows system. This version of the Authentication Proxy allows for a simpler
elevated command prompt when starting the service, and has a different installation path for our configuration file when compared to Authentication Proxy
version 4.0.2 and earlier. Be sure to reference the documentation for more information
on version differences. The Duo Authentication Proxy on Windows requires Windows Server 2012 or later. Server 2016 or 2019 are recommended. For additional installation details, including installing
the Authentication Proxy on Linux operating systems, see the documentation. The proxy can be installed on
a physical or virtual host. We recommend a system with at least 1 CPU, 200 megabytes (MB) of disk space, and 4GB RAM, although 1GB RAM is usually sufficient. On the system you have
chosen to host the proxy, navigate to
duo.com/docs/authproxy-reference and click the link under Installation to download the latest version of the Duo Authentication
Proxy for Windows. Leave this page open as we will be using it
later for our configuration. After the installer has
finished downloading, launch the installer as a user
with administrator rights. Follow the onscreen prompts
and install the Proxy. Click 'Finish' when
installation is complete. The Authentication Proxy is
now ready to be configured. But note that you need to
add your authentication and application information to the default configuration file before you can start the Duo
Authentication Proxy Service. For future upgrades to
the Authentication Proxy, you can refer back to the reference link to download and run the
installer for the latest version. Upgrading the proxy retains
the conf and log folders and contents from your
current installation. Note that if you have
changed the properties of the Duo Authentication Proxy Service to run as a named domain account, be aware that the service will revert to running as a 'Local
System' after the upgrade. Repeat the process to
change the service back to using a named domain service account before starting the service. Additionally, if the Duo
Authentication Proxy Service was running when you started the upgrade, the installer attempts to
restart the proxy service after the upgrade completes. Any time after you update or modify your Authentication
Proxy configuration, you will need to stop
and restart the service for your changes to take effect. Next, we are going to locate our Authentication
Proxy configuration file and learn how to configure
it to suit our needs. The Duo Authentication
Proxy configuration file is named authproxy.cfg and is located in the conf subdirectory of the proxy installation. The default installation
path for a Windows system running Authentication Proxy
version 5.0.0 and later is C:\Program Files\Duo
Security Authentication Proxy. Older versions of the Authentication Proxy were installed in the
Program Files x86 directory. Navigate to this area
to familiarize yourself with the Proxy's directory structure. The folders we will interact with most are the conf and log subdirectories. Let's begin by reviewing
the authproxy.cfg file, since this is the file
that we will configure to interact with our primary authenticator and Duo-protected applications. To begin our authproxy.cfg
file configuration, run a text editor as an administrator. We recommend using WordPad because it best respects
formatting like carriage returns. Click Open. Then navigate to the conf folder of the Authentication Proxy
installation directory. To the right of File Name, select 'All Documents'
from the dropdown menu and open the authproxy file. The file itself is configured
as a simple INI file, and section headings are
enclosed with brackets with individual properties
beneath the section heading. Note that section headings and section-specific
parameters should be lowercase, and you may comment out lines in this file by beginning the line with REM, a hashtag, or a semicolon character. We will revisit commenting
out lines later in this video, but do not use any secrets or
passcodes in your config file that contain these characters. If this is the first time
you have opened the file, you can delete the sample text. Now that we have made it to
our proxy configuration file, let's review the sections
that we will end up including. With our proxy configuration
file ready to be filled out, let's focus on the client section that we will be adding to the file. Note that all client section
headings should be lowercase. The most common client section
to include for your setup will be an ad_client section. ad_client is used when
you would like to use an Active Directory domain controller to perform primary authentication. In this video example, we will be using an ad_client section. To configure more than
one client configuration of the same type, append a number to the section name, as in ad_client2 or ad_client3. Additional client section
options include radius_client and duo_only_client Use radius_client when
the Authentication Proxy contacts another RADIUS server, like Microsoft NPS or Cisco ACS, to perform primary authentication. Use the duo_only_client section if your device supports
separate configurations for primary and secondary authentication. You can use the Authentication Proxy for the secondary authentication and let your device handle primary authentication independently. For additional details on setting up these other client sections, please see
duo.com/docs/authproxy-reference. In the Authentication
Proxy configuration file, make sure that you have
removed any sample text. Next, add an ad_client section to use an Active Directory
domain controller to perform primary authentication. Below that line, start
a new line with host=, and then enter the hostname or IP address of your domain controller. Then, copy service_account_username= from the documentation example and paste it onto the next line
of your configuration file. Then, enter the username
of a domain member account that has permission to bind
to your Active Directory and perform searches. We recommend creating a service account that has read-only access
and using it for the proxy. On the next line, we are going to copy and
paste the section element service_account_password= from the documentation example and then enter the
password for that username. For information on encrypting
passwords in Windows, please see the documentation. For the next line, copy and paste search_dn= again from the documentation example, and enter the LDAP DN
or distinguished name of an Active Directory container or organizational unit
containing all of the users you would wish to permit to log in. These five lines make up the
minimum requirements needed for the proxy to interact
with Active Directory. In the ad_client section, you can also add additional
configuration elements for your specific setup. Two of the most frequently used options include adding an additional
hostname or IP address in the case of a fallback
domain controller and further restricting
access of a security group that contains the users who
should be able to log in as direct group members. To add a secondary or a
fallback domain controller, add a new line below
your first host parameter and type host_2=, and include the hostname or IP address of your secondary controller. Additional fallback domain controllers can be added in the same way, as in host_3, host_4, and so on. To add a security group, add
a new line and copy and paste security_group_dn= from the documentation. Then specify the LDAP distinguished name of the group that you
want to allow to log in. Users who are not direct
members of the group will fail primary authentication. Additional elements,
including LDAP filters, timeout options around
primary authentication, and port settings can be
found in the documentation. Save your configuration file. Your authentication
proxy is now configured to use Active Directory
for primary authentication. Once your authentication proxy has its client section configured, it is time to review your
options for the server section. Depending on which type of
application you are configuring, you will need to include one or more of the following
configuration sections. Please note that each
configuration section has a different impact on the end-user authentication experience. The available server
sections are RADIUS Auto, RADIUS iFrame, RADIUS Challenge, RADIUS Concat, RADIUS Duo Only, and LDAP Auto. RADIUS Auto. This mode is recommended
for most applications and is compatible with almost all systems that support RADIUS authentication. When using Radius Auto, an
automatic Duo Push or call is sent to the user's
device for authentication. Users can also use the
'password,factor' format to specify an alternate
device and/or passcode. RADIUS iFrame. When using RADIUS iFrame, users will see Duo's web-based
authentication prompt. This mode is only available
on supported devices, like Citrix and F5 SSL VPNs. RADIUS Challenge. When using RADIUS Challenge, users will be presented
with a textual challenge after entering their existing passwords. Note that not all systems
supporting RADIUS authentication can support RADIUS Challenge. However, for systems that
do support challenges, this offers a cleaner and
more flexible integration than RADIUS Concat. In most cases, we
recommend using RADIUS Auto instead of RADIUS Challenge. RADIUS Concat. When using RADIUS Concat, users will append a Duo passcode to their existing passwords. This mode should be compatible
with almost any system that supports RADIUS authentication
using the PAP mechanism. In most cases, we
recommend using RADIUS Auto instead of RADIUS Concat. RADIUS Duo Only. RADIUS Duo Only enables you
to use a RADIUS integration that does not handle primary
authentication credentials. The user's passcode or factor choice, encrypted using the PAP mechanism, is submitted for the RADIUS password. This section never
requires a client parameter and should only be used with devices that support secondary
RADIUS authentication. LDAP Auto. When using LDAP Auto, the factor is automatically
selected for each login instead of prompting the user. Users can also use the
'password,factor' format to specify an alternate
device and/or factor. Multiple server configurations can be used by appending a number on to
the end of the section name, such as ldap_server_auto1,
ldap_server_auto2, and so on. Incoming requests will be filtered to a given server configuration based on the IPs set in ldap_ip_x in each server section. In this video, we will show you how to set up the Duo Authentication Proxy to interact with the
generic RADIUS application using a RADIUS Auto setup and Active Directory for
primary authentication. For details on other
configuration options, please see the documentation. To begin, log in to the Duo Admin Panel. Click on Applications. Then click Protect an Application. In the search field, type RADIUS. Under the generic RADIUS
entry, click Protect. At the top of your new RADIUS
application's properties page, you will see your Integration
key, your Secret key, and API hostname. Next, scroll down the RADIUS
application properties page, and rename your application in the Name field under Settings. Type something recognizable to differentiate this
application from others. In this example, we'll name
the application Device A. Next, click Save. Keep this page open for quick access throughout the rest of the setup process. Next, run a text editor
as an administrator. We will once again be using WordPad for how it best respects
formatting like carriage returns. Inside the text editor, click Open and navigate to the authproxy.cfg file where we previously added
our ad_client section. We have already configured our proxy to use Active Directory as
our primary authenticator. Below the final line of
the ad_client section, add an empty line. Next, we are going to comment out a line to provide some contextual information for any future users of the config file. For this example, type ;RADIUS Device A. The required elements for a
RADIUS server Auto section are ikey, skey, api_host, radius_ip, radius_secret, and client. To learn more about the optional elements for this server section, see the documentation. To begin, below your
commented out line, create your [radius_server_auto] section. Next, copy and paste ikey= from the documentation page example, and then paste your integration key from your RADIUS
application's properties page. Then, copy and paste skey= from the documentation page, and copy and paste your secret key from the properties page. If you would like to
encrypt this password, see Encrypting Passwords
in the documentation and use the skey_protected
parameter instead. Next, copy and paste api_host= from the documentation, and then paste the API hostname
from your properties page. Beneath those lines, create
a new line and copy and paste radius_ip_1= from the documentation, and then enter the IP address
of your RADIUS device. Then, start a new line and copy radius_secret_1= from the documentation, and enter the secret
shared between your proxy and your device. Next, define what the proxy will use to perform primary authentication. In this case, we will be
using Active Directory. Add a new line and copy and paste client=
from the documentation, and enter ad_client. Finally, enter a port on which to listen for incoming RADIUS requests. The default port is 1812. So type port=1812. The port parameter is optional. When you are done setting up this section, save your configuration file. To include optional element fields like additional RADIUS clients, API timeout details,
and failmode settings, please see the documentation
for more information. The [cloud] section is
a special configuration used only when importing users to Duo via OpenLDAP or Active
Directory synchronization. When using Duo Authentication
Proxy version 5.2.0 or newer, multiple cloud sections formatted as [cloud], [cloud2],
and [cloud3] and so on may coexist in the same
authproxy.cfg configuration file, each corresponding to a different sync in the same Duo account. In proxy versions 5.1.0 and earlier, only one [cloud] section may be present in the configuration file, therefore requiring a separate
Authentication Proxy server for each AD or OpenLDAP
sync you configure. The main elements of a cloud
section are as follows, ikey, skey, api_host, service_account_username, and service_account_password. The values for the cloud section are provided on the
directory's properties page in the Duo Admin Panel as
a downloadable text file. Copy the information from that file, and append it to your
existing authproxy.cfg file. You may have to fill in the server account username and password if your authentication
type is not integrated. When you are done setting up this section, save your configuration file. The [http_proxy] section configuration allows supported Duo applications to proxy HTTPS connections
to Duo's cloud service through the Authentication Proxy server. This is useful in environments
where client systems do not have direct Internet access to Duo. Note that you must also
configure the Duo application to use Authentication Proxy
server as an HTTP proxy. In this video example, we will not include the
[http_proxy] section. For more information
on this configuration, please refer to the documentation. The Duo Authentication Proxy
Service is able to be run in Federal Information
Processing Standards, also known as FIPS mode. In this video example, we
will not enable FIPS mode, but to employ this configuration, please see the documentation. With our Duo Authentication
Proxy now configured, let's start up the proxy service. Authentication Proxy
versions 5.1.0 and later include the 'authproxyctl' executable, which shows the connectivity tool output when starting the service and can assist you if you run into issues when starting the proxy. In this video, we will be
using the 'authproxyctl start' for our installation of the Duo Authentication
Proxy version 5.2.0. On your Windows device, open
an elevated Command Prompt and run authproxyctl start. You can also start the proxy by opening the Windows Services console, locating Duo Security
Authentication Proxy Service in the list of services, and then clicking to start the service. If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file. We can check the connectivity status by navigating to the log
subdirectory, which is located in C:\Program Files\Duo Security
Authentication Proxy\log. If you see an error message saying that the service
could not be started, open the Application Event Viewer and look for an error from
the source duoauthproxy. The traceback may include a config error that can help you find
the source of the issue. After fixing any necessary errors, stop and restart the
Authentication Proxy Service by either clicking the
Restart Service button in the Windows Services console or by running the following
elevated command prompt, authproxyctl restart. Your Duo Authentication Proxy Service is now running successfully. Nice work!
