Duo proxy config syntax for adding a separate 2nd AD domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2019 01:47 PM
Hi. I am trying to add a separate 2nd AD domain to the Duo proxy config and was wondering about the proper syntax to make it work. I’m looking at this online doc…
In the client sections portion it says:
[…] To configure more than one client configuration of the same type, append a number to the section name e.g. [ad_client2].
So am I supposed to call out that part of configuration like this (see at the very bottom)?
[main]
debug=false
[ad_client]
host=****
service_account_username=****
service_account_password_protected=****
search_dn=****
[ad_client2]
host=xx
host_2=xx
service_account_username=xx
service_account_password_protected=xx
search_dn=xx
[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip_1=aa.aa.aa.aa
radius_secret_protected_1=****
radius_ip_5=xx.xx.xx.xx
radius_secret_5=***
failmode=safe
client=ad_client
port=1812
radius_ip_6=x.x.x.x
radius_secret_6=****
failmode=safe
client=ad_client2
port=1812
Please help. Thanks.
- Labels:
-
Authentication Proxy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2019 08:11 AM
Hi Julian, you’re on the right track but you are trying to mix two different clients in one server section. You will need two different server sections, which means you will need two servers listening on different ports for the two AD clients. The server sections in the authproxy CFG file should be formatted as follows:
[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip_1=aa.aa.aa.aa
radius_secret_protected_1=****
radius_ip_5=xx.xx.xx.xx
radius_secret_5=***
failmode=safe
client=ad_client
port=1812
[radius_server_auto2]
ikey=****
skey=****
api_host=****
radius_ip_6=x.x.x.x
radius_secret_6=****
failmode=safe
client=ad_client2
port=1813
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2019 02:45 PM
Oh ok, cool. I’m guessing I can still use the same ikey, skey, and api_host values?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2019 06:39 AM
As long as both [radius_server_auto] sections are being used to protect the same app, yes.
