DAP to be configured with both [duo_only_client] and [ad_client]

We currently have the DAP implemented for multiple applications and services.
An in all those cases DAP is responsible for the Primary and Secondary Authentication.
Now we want to add Citrix NetScaler, but this time DAP will be responsible only for the Secondary AuthC.

Will I be able to configure DAP with both the [ad_client] and [duo_only_client] options configured?
for example:

[duo_only_client]

[ad_client]
host=x.x.x.x
host2=x.x.x.x
service_account_username=
service_account_password=
seach_dn=DC=xxx,DC=xxx

;For existing Application
[radius_server_auto]
ikey=xxxxxx
skey_protected=xxxxx
api_host=ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– 
radius_ip_1=x.x.x.x
#radius_ip_2=x.x.x.x
radius_secret_protected_1=xxxxxxxxx
#radius_secret_protected_2=xxxxxxxxx
client=ad_client
port=1812
failmode=safe

;For the Citrix implementation
[radius_server_auto]
ikey=xxxxxxx
skey_protected=xxxxx
api_host=ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– ā– 
radius_ip_1=x.x.x.x
#radius_ip_2=x.x.x.x
radius_secret_protected_1=xxxxxxxxx
#radius_secret_protected_2=xxxxxxxxx
client=duo_only_client
port=1812
failmode=safe

Hi @BrLima ,

Yes, you can have a single Auth Proxy configured to support both ad_client and duo_only_client. Please see https://help.duo.com/s/article/2216.

For the Citrix integration, you would need to either name the server section radius_server_auto2 or use radius_server_duo_only as mentioned in Duo for Citrix Gateway Basic Secondary Authentication Instructions | Duo Security. You would also need to specify a different port for the RADIUS request to listen on as this is how the Auth Proxy maps authn requests to the appropriate application (Duo Authentication Proxy Reference | Duo Security). Otherwise, you would have a port conflict and the Auth Proxy service would not start.

Please also see https://help.duo.com/s/article/1124

Hope this helps!

2 Likes

Thanks Pablo!

My bad, when I was making the example I forgot to write the second one to [radius_server_auto2]. And thanks also for the heads up regarding the port, I totally forgot it.

Iā€™m following this guide, as our NetScaler is on version 12.0:

Best regards!

1 Like