Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
158
Views
1
Helpful
3
Replies

How to config Duo Authentication Proxy support 2 API ikey and skey

Alan Tang
Level 1
Level 1

‎06-24-2025 09:13 PM

Hello:

Due to the network security, the existing environment didn't have internet access and we are using Duo Authentication Proxy. However, we have 2 API with the same API Host. May I know how can I config Duo Authentication Proxy to have 2 API skey and ikey?

Thanks!

0 Helpful
3 Replies 3

Alan Tang
Level 1
Level 1

‎06-25-2025 01:31 AM

We are using the same DUO account for the API Host. We have created 2 Partner Auth API and all of the user need to perform MFA through Duo Authentication Proxy.

API Host
========
api-713xxxxx.duosecurity.com

Partner Auth API
==============
Auth API-01
ikey: 1Ixxxxxxxxxxxxxxx
skey: 1Sxxxxxxxxxxxxxx

Auth API-02
ikey: 2Ixxxxxxxxxxxxxxx
skey: 2Sxxxxxxxxxxxxxx


We just have only one Duo Authentication Proxy with below authproxy.cfg (Existing working fine)
=============
[duo_only_client]

[cloud]
ikey=1Ixxxxxxxxxxxxxxx
skey=1Sxxxxxxxxxxxxxx
api_host=api-713xxxxx.duosecurity.com

[http_proxy]
api_host=api-713xxxxx.duosecurity.com
port=443
=============

Is it possible that add additional Auth API-02 to the existing Duo Authentication Proxy?

Thanks!

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Alan Tang

‎06-26-2025 06:09 AM - edited ‎06-26-2025 06:11 AM

@Alan Tang I am not sure why you would be using an Auth API application type with the Duo Authentication Proxy. That's not the intended application. As a means of providing 2FA to applications, Duo Authentication Proxy is intended for use with RADIUS or LDAP applications . You may experience unintended effects if you use the wrong type of application.

https://duo.com/docs/radius

https://duo.com/docs/ldap

We also have some named RADIUS applications we've vetted for specific devices, like Netscaler Gateway. You can find these by searching for "RADIUS" on the documentation index or the Application Catalog in the Admin Panel.

Otherwise, Ken answered the underlying question well. You may also find these resources helpful:

Can the Proxy be configured for multiple Duo applications? 

Can you have multiple API hostnames in one Duo Authentication Proxy? 

Can the Duo Authentication Proxy be used to protect multiple applications? 

Can the Duo Authentication Proxy include multiple client sections? 

Can I sync multiple directories with one Duo Authentication Proxy server using multiple [cloud] sections? 

 

Edited to add: if a third-party vendor told you to create Partner Auth API applications to use with the Authentication Proxy, do you mind sharing which vendor did this? That way our tech partners team can reach out to them and ask them to stop giving out incorrect instructions.

Duo, not DUO.
0 Helpful

Ken Stieers
VIP
VIP

‎06-25-2025 10:46 AM

Reference this documentation.
https://duo.com/docs/authproxy-reference#configuration
You'll have a Cloud section that has an ikey/skey/api_host set for importing users from AD or LDAP.
You'll have a 'client' section for each data store you use on the back end (AD, other Radius, etc)
For each application you're protecting you'll create a Server section, and each server section has a reference to the Client section it uses (they can all use the same one if that's all you need), and an ikey/skey/api_host set for each application
Example below... Each server (radius_server_auto, ldap_server_auto, ldap_server_auto2), has its own ikey/skey/api-host, they all use the same ad_client. You get that from the "Protected application" you set up in the Duo console.
Ldap_server_auto uses standard ports, ldap_server_auto2 uses OTHER ports, you'll HAVE TO DO THIS!
If you have more than one radius server, you have to do the same thing.


****************

[main]
debug = false
log_auth_events = true

[cloud]
ikey =
api_host = api.duosecurity.com
skey_protected =

[ad_client]
host = gc01.domain.local
host_2 = gc02.domain.local
search_dn = dc=domain,dc=local
transport = ldaps
ssl_ca_certs_file = Certs.crt
auth_type= sspi

[radius_server_auto]
ikey=
skey=
api_host=api.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=172.16.1.1
radius_ip_2=10.16.1.1
radius_secret_2=reallysecretradius1
radius_secret_1=reallysecretradius1
port=1812


[ldap_server_auto]
ikey =
api_host = api.duosecurity.com
skey_protected =
exempt_primary_bind = true
exempt_ou_1 = CN=LdapLookup,OU=Service Accounts,DC=domain,DC=local
client = ad_client
factors = auto
failmode = safe
ssl_cert_path = ldap.crt
ssl_key_path = ldap.key
cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
allow_searches_after_bind=true

[ldap_server_auto2]
ikey =
api_host = api.duosecurity.com
skey_protected =
exempt_primary_bind = true
exempt_ou = CN=LdapLookup-cgw,OU=Service Accounts,DC=domain,DC=local
client = ad_client
factors = auto
failmode = safe
ssl_cert_path = ldap.crt
ssl_key_path = ldap.key
ssl_port = 646
port=399
cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

***********
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents