cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
1
Helpful
2
Replies

AD users authenticated without confirmation

swinkel
Level 1
Level 1

I try to secure my Cloud Director infra with DUO.
I already have the Authentication Proxy running and the AD group of the users is synced and visible in the DUO Admin portal.
Within Cloud Director I have added the Authentication Proxy as an LDAP server and imported the users of the group.
But...when I login to the Cloud Director portal I'm authenticated without doing a confirmation within the DUO app
That's not what I want.
This is the config I use:

[ad_client]
host=1.1.1.1
host_2=2.2.2.2
service_account_username=svc_duomfa
service_account_password_protected=<pwd>
search_dn=dc=ccc,dc=bbb,dc=aaa

[ldap_server_auto]
client=ad_client
ikey=<ikey>
skey=<skey>
api_host=apixxxx.duosecurity.com
failmode=secure

[cloud]
ikey=<ikey>
skey=<skey>
api_host=apixxxx.duosecurity.com
service_account_username=<serviceaccount>
service_account_password_protected=<pwd>

What am I overlooking?

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

The Authentication Proxy assumes that most downstream LDAP applications create an LDAP connection, then perform a bind as the service account, a search for the authenticating user, and another bind as the authenticating user all in the same connection. Therefore the default behavior is to exempt the first bind in a connection from MFA.

Some applications do not do this, and instead they disconnect after performing the user search and then create a new LDAP connection to bind as the user. Since the user bind is the first bind in that connection, it bypasses MFA.

There are some configuration options you can apply to accommodate this "connect-service account bind-reconnect-user bind" behavior to ensure the user is prompted for 2FA. Please see https://help.duo.com/s/article/4989 to learn more about the exempt_primary_bind and exempt_ou settings.

Duo, not DUO.

View solution in original post

2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

The Authentication Proxy assumes that most downstream LDAP applications create an LDAP connection, then perform a bind as the service account, a search for the authenticating user, and another bind as the authenticating user all in the same connection. Therefore the default behavior is to exempt the first bind in a connection from MFA.

Some applications do not do this, and instead they disconnect after performing the user search and then create a new LDAP connection to bind as the user. Since the user bind is the first bind in that connection, it bypasses MFA.

There are some configuration options you can apply to accommodate this "connect-service account bind-reconnect-user bind" behavior to ensure the user is prompted for 2FA. Please see https://help.duo.com/s/article/4989 to learn more about the exempt_primary_bind and exempt_ou settings.

Duo, not DUO.

swinkel
Level 1
Level 1

Thanks! This indeed solved it.

Quick Links