Duo proxy config syntax for adding a separate 2nd AD domain

julian5 · ‎04-30-2019

Hi. I am trying to add a separate 2nd AD domain to the Duo proxy config and was wondering about the proper syntax to make it work. I’m looking at this online doc…

In the client sections portion it says:
[…] To configure more than one client configuration of the same type, append a number to the section name e.g. [ad_client2].

So am I supposed to call out that part of configuration like this (see at the very bottom)?

[main]
debug=false

[ad_client]
host=****
service_account_username=****
service_account_password_protected=****
search_dn=****

[ad_client2]
host=xx
host_2=xx
service_account_username=xx
service_account_password_protected=xx
search_dn=xx

[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip_1=aa.aa.aa.aa
radius_secret_protected_1=****
radius_ip_5=xx.xx.xx.xx
radius_secret_5=***
failmode=safe
client=ad_client
port=1812

radius_ip_6=x.x.x.x
radius_secret_6=****
failmode=safe
client=ad_client2
port=1812

Please help. Thanks.

mkorovesisduo · ‎05-01-2019

Hi Julian, you’re on the right track but you are trying to mix two different clients in one server section. You will need two different server sections, which means you will need two servers listening on different ports for the two AD clients. The server sections in the authproxy CFG file should be formatted as follows:

[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip_1=aa.aa.aa.aa
radius_secret_protected_1=****
radius_ip_5=xx.xx.xx.xx
radius_secret_5=***
failmode=safe
client=ad_client
port=1812

[radius_server_auto2]
ikey=****
skey=****
api_host=****
radius_ip_6=x.x.x.x
radius_secret_6=****
failmode=safe
client=ad_client2
port=1813

julian5 · ‎05-01-2019

Oh ok, cool. I’m guessing I can still use the same ikey, skey, and api_host values?

mkorovesisduo · ‎05-02-2019

As long as both [radius_server_auto] sections are being used to protect the same app, yes.