Duo Radius proxy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 11:10 AM
I dont understand what I’m missing.
I have authentication set up and a Radius proxy running on a Linux box.
Linux box has Internet access.
My authentication to AD passes.
Then I can see in tcpdump, that the authentication request is sent to the Radius gatewaye.
Then I can also see that the Radius gateway sends the request to Duo in my tcpdump.
However NOTHING every comes back, and there’s nothing logged to Duo. It just gets lost somewhere…
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 11:36 AM
Care to share your authproxy.cfg file? Remove any passwords or other sensitive info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 11:42 AM
[radius_server_duo_only]
ikey=hgjkghjkeghfhjkglklh
■■■■
api_host=■■■■
radius_ip_1=10.10.92.40
radius_secret_1=SUPERSEKRET
failmode=safe
port=1812
[ad_client]
host=10.10.92.40
service_account_username=serviceaccount
service_account_password=SUPERSEKRET
search_dn=OU=Domain_Users,DC=nothing,DC=net
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 11:47 AM
I am running a similar config but I have the following…
[ad_client]
host=
service_account_username=LDAPUser
service_account_password=
search_dn=dc=$$$$,dc=com
[radius_server_auto]
ikey=
skey=
api_host=
client=ad_client
radius_ip_1=
radius_secret_1=
failmode=safe
I am assuming you have a “skey=” line in your config…
You can also enable some debug by adding the below to your config file…
[main]
debug=true
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 12:07 PM
Yep. ikey, skey, debug enabled.
duoauthproxy.lib.duo_async.DuoAPIFailOpenError: API Request Failed: TimeoutError(’’,)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2018 12:28 PM
Hey there Pat_Labine!
That error indicates that the Duo proxy experienced an issue contacting the Duo API host. Take a look here for some tips.
For the api_host
value, ensure you have just the hostname only and didn’t enter it as a URL e.g. https://api-xxxx...
.
Also, [radius_server_duo_only]
means that the Duo proxy isn’t going to attempt to handle primary authentication, so it ignores the [ad_client]
config. If you want to use duo_only
, then you don’t need ad_client
.
Are those your actual IPs? I notice that you specified the same IP for an AD domain controller (host=10.10.92.40
in [ad_client]
) as was used for the RADIUS device passing the authentication request to the Duo proxy server (radius_ip_1=10.10.92.40
). If this is just an example IP, never mind!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2018 05:55 AM
All the tests pass. I’ve determined that it’s probably a wed-proxy issue.
The web request from the duo-proxy to Duo has to go through a web proxy.
I have au http_proxy=10.10.0.4:80 in the config file, but it doesn’t seem to work.
http_proxy=http://10.10.0.4:80 doesn’t work either.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2018 07:41 PM
Ah, I think you might just be using the wrong proxy option.
You should use http_proxy_host
and http_proxy_port
, documented here under the “Main Section”.
For example…
http_proxy_host=10.10.0.4
http_proxy_host=80
The [http_proxy]
configuration section is used when the Duo Authentication Proxy itself is acting as an HTTP proxy for Duo applications on other systems.
