cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
469
Views
1
Helpful
2
Replies

Duo Auth proxy password encryption length

Shawn.gaston1
Beginner
Beginner

Hello. We have the Duo auth prox conf file all setup and works fine. we use the raidus against meraki MX which works fine with the secret. when we try to encrypt the secret password the auth hashes it out into a very long string. meraki only accepts max of 48 characters for the secret. That being said is there anyway to make the duo has the password to only max of 48 characters?

1 Accepted Solution

Accepted Solutions

DuoPablo
Cisco Employee
Cisco Employee

Hi @ShawnGaston ,

The encrypted text of the secret from the Auth Proxy should not be entered into the RADIUS appliance. The Auth Proxy hashes the secret but only for its own use.

In this example, the RADIUS secret for the Meraki Client VPN config is radiussecret1

In the Duo Auth Proxy configuration, you would have entered it into the authproxy.cfg as:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=ad_client
port=1812
failmode=safe

Then, after performing the encryption command, the output will resemble:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
skey_protected=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_protected_1=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFAXGTZJdPUuF9JbcuvSwagQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAdABvAC4AcAB5
AAAAA2YAAMAAAAAQAAAANZiilAGq57x56P7+pdOPLgAAAAAEgAAAoAAAABAAAABdyNk87n/s53Jgyn4X6h+4IAAAADd4goUuz1WL
f6FEHmFZbL0wSxpH6GWFbyFGTw32fedsFAAAAMYIwtQ8Ac2ZalrXaSReUivsdkJ+

client=ad_client
port=1812
failmode=safe

The Meraki RADIUS server secret will remain radiussecret1

Encryption for the Auth Proxy’s secrets helps protect them from being viewable in plain text within the authproxy.cfg file.

Hope this helps!

View solution in original post

2 Replies 2

DuoPablo
Cisco Employee
Cisco Employee

Hi @ShawnGaston ,

The encrypted text of the secret from the Auth Proxy should not be entered into the RADIUS appliance. The Auth Proxy hashes the secret but only for its own use.

In this example, the RADIUS secret for the Meraki Client VPN config is radiussecret1

In the Duo Auth Proxy configuration, you would have entered it into the authproxy.cfg as:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=ad_client
port=1812
failmode=safe

Then, after performing the encryption command, the output will resemble:

[radius_server_auto]
ikey=■■■■■■■■■■■■■■■■■■■■
skey_protected=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=5.6.7.8
radius_secret_protected_1=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFAXGTZJdPUuF9JbcuvSwagQAAAAeAAAAdwBpAG4AMwAyAGMAcgB5AHAAdABvAC4AcAB5
AAAAA2YAAMAAAAAQAAAANZiilAGq57x56P7+pdOPLgAAAAAEgAAAoAAAABAAAABdyNk87n/s53Jgyn4X6h+4IAAAADd4goUuz1WL
f6FEHmFZbL0wSxpH6GWFbyFGTw32fedsFAAAAMYIwtQ8Ac2ZalrXaSReUivsdkJ+

client=ad_client
port=1812
failmode=safe

The Meraki RADIUS server secret will remain radiussecret1

Encryption for the Auth Proxy’s secrets helps protect them from being viewable in plain text within the authproxy.cfg file.

Hope this helps!

Shawn.gaston1
Beginner
Beginner

TY for the clarification. That def makes sense!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links