Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3260
Views
0
Helpful
1
Replies

AD Authentication and Expired passwords on Duo Auth Proxy

bkingstonmnc
Level 1
Level 1

‎11-04-2019 09:22 AM

We have an app protected by the duo proxy and uses pap to accept a duo token pin or push that authenticates to LDAP/AD. When users’ passwords expire, they receive an oblique “access denied” error.
Is it possible to restore the inbuilt AD password change functionality the app has when authenticating with AD directly while the dup proxy is implemented?

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-04-2019 10:23 AM

You have two options:

  1. If whatever app you’re using lets you chain authenticators (specify different authentication servers for primary and secondary auth), you can point primary to your Active Directory and secondary to the Duo RADIUS proxy.

  2. If you cannot have different primary and secondary authentication servers in your app, you can switch from using AD as the primary authentication for the Duo RADIUS config to using RADIUS for primary instead. With both RADIUS server and client config at the Duo Proxy it can use MSCHAPv2 instead of PAP, and you could do password changes. You can deploy NPS in your domain to act as the RADIUS server, and NPS itself would authenticate against AD.

Before:
Application <-> Duo proxy (radius_server_xxx) <-> AD (via ad_client)

After:
Application <-> Duo proxy (radius_server_xxx) <-> NPS (via radius_client) <-> AD

Learn more about this configuration’s requirements and limitations in the help article Does the Duo Authentication Proxy support MS-CHAPv2? and in the Authentication Proxy Reference.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents