Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
1
Helpful
2
Replies

Duo Auth proxy password encryption length

Go to solution
Shawn.gaston1
Level 1
Level 1

‎04-08-2023 09:39 AM

Hello. We have the Duo auth prox conf file all setup and works fine. we use the raidus against meraki MX which works fine with the secret. when we try to encrypt the secret password the auth hashes it out into a very long string. meraki only accepts max of 48 characters for the secret. That being said is there anyway to make the duo has the password to only max of 48 characters?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎04-10-2023 01:03 PM

Hi @ShawnGaston ,

The encrypted text of the secret from the Auth Proxy should not be entered into the RADIUS appliance. The Auth Proxy hashes the secret but only for its own use.

In this example, the RADIUS secret for the Meraki Client VPN config is radiussecret1

2X_0_0a92a303519e4faa4f872fe7599fce3324b245b7.png

In the Duo Auth Proxy configuration, you would have entered it into the authproxy.cfg as:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=ad_client
port=1812
failmode=safe

Then, after performing the encryption command, the output will resemble:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
skey_protected=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_protected_1=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFAXGTZJdPUuF9JbcuvSwagQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAdABvAC4AcAB5
AAAAA2YAAMAAAAAQAAAANZiilAGq57x56P7+pdOPLgAAAAAEgAAAoAAAABAAAABdyNk87n/s53Jgyn4X6h+4IAAAADd4goUuz1WL
f6FEHmFZbL0wSxpH6GWFbyFGTw32fedsFAAAAMYIwtQ8Ac2ZalrXaSReUivsdkJ+
client=ad_client
port=1812
failmode=safe

The Meraki RADIUS server secret will remain radiussecret1

Encryption for the Auth Proxy’s secrets helps protect them from being viewable in plain text within the authproxy.cfg file.

Hope this helps!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎04-10-2023 01:03 PM

Hi @ShawnGaston ,

The encrypted text of the secret from the Auth Proxy should not be entered into the RADIUS appliance. The Auth Proxy hashes the secret but only for its own use.

In this example, the RADIUS secret for the Meraki Client VPN config is radiussecret1

2X_0_0a92a303519e4faa4f872fe7599fce3324b245b7.png

In the Duo Auth Proxy configuration, you would have entered it into the authproxy.cfg as:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=ad_client
port=1812
failmode=safe

Then, after performing the encryption command, the output will resemble:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
skey_protected=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_protected_1=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFAXGTZJdPUuF9JbcuvSwagQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAdABvAC4AcAB5
AAAAA2YAAMAAAAAQAAAANZiilAGq57x56P7+pdOPLgAAAAAEgAAAoAAAABAAAABdyNk87n/s53Jgyn4X6h+4IAAAADd4goUuz1WL
f6FEHmFZbL0wSxpH6GWFbyFGTw32fedsFAAAAMYIwtQ8Ac2ZalrXaSReUivsdkJ+
client=ad_client
port=1812
failmode=safe

The Meraki RADIUS server secret will remain radiussecret1

Encryption for the Auth Proxy’s secrets helps protect them from being viewable in plain text within the authproxy.cfg file.

Hope this helps!

0 Helpful

Go to solution
Shawn.gaston1
Level 1
Level 1

‎04-12-2023 01:51 AM

TY for the clarification. That def makes sense!

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents