cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3031
Views
0
Helpful
1
Replies

AD Authentication and Expired passwords on Duo Auth Proxy

bkingstonmnc
Level 1
Level 1

We have an app protected by the duo proxy and uses pap to accept a duo token pin or push that authenticates to LDAP/AD. When users’ passwords expire, they receive an oblique “access denied” error.
Is it possible to restore the inbuilt AD password change functionality the app has when authenticating with AD directly while the dup proxy is implemented?

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

You have two options:

  1. If whatever app you’re using lets you chain authenticators (specify different authentication servers for primary and secondary auth), you can point primary to your Active Directory and secondary to the Duo RADIUS proxy.

  2. If you cannot have different primary and secondary authentication servers in your app, you can switch from using AD as the primary authentication for the Duo RADIUS config to using RADIUS for primary instead. With both RADIUS server and client config at the Duo Proxy it can use MSCHAPv2 instead of PAP, and you could do password changes. You can deploy NPS in your domain to act as the RADIUS server, and NPS itself would authenticate against AD.

Before:
Application <-> Duo proxy (radius_server_xxx) <-> AD (via ad_client)

After:
Application <-> Duo proxy (radius_server_xxx) <-> NPS (via radius_client) <-> AD

Learn more about this configuration’s requirements and limitations in the help article Does the Duo Authentication Proxy support MS-CHAPv2? and in the Authentication Proxy Reference.

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links