Duo breaks after upgrading Palo Alto Firewalls to PANOS 8.1.7

We have updated a pair PA-5020’s in our Data Center to PANOS 8.1.7. Duo is no longer working. Has any one else had a similar issue.

What is odd is when we login to the Palo we get a Duo push notification. After hitting approve the username/password disappear on the Palo login page and in red “invalid username and or password” pops up. In the Duo logs we can see where the auth starts and validates the user logging in, shows that the push was approved and that access was granted and then there are two disconnect statements due to “Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.” (Please note IP’s have been replaced with xxx.xxx.xxx.xxx and the username has also been removed and replaced with user.name)

Line 71351: 2019-05-17T14:01:00-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Got preauth result for user.name: u’auth’
Line 71355: 2019-05-17T14:01:04-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Duo authentication returned ‘allow’: ‘Success. Logging you in…’
Line 71356: 2019-05-17T14:01:04-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:50877] Success. Logging you in…
Line 71358: 2019-05-17T14:01:04-0400 [DuoAutoLdapServer,17,xxx.xxx.xxx.xxx] [Request from xxx.xxx.xxx.xxx:50877] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.
Line 71358: 2019-05-17T14:01:04-0400 [DuoAutoLdapServer,17,xxx.xxx.xxx.xxx] [Request from xxx.xxx.xxx.xxx:50877] Attempt to bindRequest multiple times in the same LDAP connection. Disconnecting.

I was able to find a forum post about adding the command “allow_unlimited_binds=true” to [ldap_server_auto] section of the authproxy.cfg file. We added this to the config file and it still doesn’t work as well the logging behavior has changed. Below are the logs when attempting to access the updated Firewalls with Duo after this config change

2019-05-22T15:53:06-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:33783] Duo authentication returned ‘allow’: ‘Success. Logging you in…’
2019-05-22T15:53:06-0400 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from xxx.xxx.xxx.xxx:33783] Success. Logging you in…
2019-05-22T15:53:06-0400 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>
2019-05-22T15:53:06-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03065330>
2019-05-22T15:53:06-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:06-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03065330>
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0305E350>
2019-05-22T15:53:07-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x0305E350>
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03091130>
2019-05-22T15:53:07-0400 [_ADServiceClientProtocol,client] [Request from xxx.xxx.xxx.xxx:33783] Cannot find username
2019-05-22T15:53:07-0400 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x03091130>

This change has not stopped us from being able to login using Duo on all other PA not on PANOS 8.1.x. Has anyone else had this issue? We are also working with Palo TAC to see if it is a bug in PANOS. Just wanted to see if anyone in the Duo community has run into this issue and If you have and were able to fix this issue please share what you did to resolve it, or if you know we are missing something else required in the config file that would fix this please do share? We would like to move past this issue as upgrading is needed as PANOS 8.0 is going EOL.

Hi there, please contact Duo Support to open a ticket regarding this issue.

Thank you for the update I will call in and open a support case.

We had this exact issue. What fixed it for us was to add this line to the auth proxy config:

allow_unlimited_binds=true

Once added we restarted the DUO Auth Proxy service and it started working again.