AD Authentication and Expired passwords on Duo Auth Proxy

We have an app protected by the duo proxy and uses pap to accept a duo token pin or push that authenticates to LDAP/AD. When users’ passwords expire, they receive an oblique “access denied” error.
Is it possible to restore the inbuilt AD password change functionality the app has when authenticating with AD directly while the dup proxy is implemented?

You have two options:

  1. If whatever app you’re using lets you chain authenticators (specify different authentication servers for primary and secondary auth), you can point primary to your Active Directory and secondary to the Duo RADIUS proxy.

  2. If you cannot have different primary and secondary authentication servers in your app, you can switch from using AD as the primary authentication for the Duo RADIUS config to using RADIUS for primary instead. With both RADIUS server and client config at the Duo Proxy it can use MSCHAPv2 instead of PAP, and you could do password changes. You can deploy NPS in your domain to act as the RADIUS server, and NPS itself would authenticate against AD.

Before:
Application <-> Duo proxy (radius_server_xxx) <-> AD (via ad_client)

After:
Application <-> Duo proxy (radius_server_xxx) <-> NPS (via radius_client) <-> AD

Learn more about this configuration’s requirements and limitations in the help article Does the Duo Authentication Proxy support MS-CHAPv2? and in the Authentication Proxy Reference.