Currently DUO is authenticated to LDAP via plaintext. We would like to change it to LDAPS, ie connect DUO to AD via LDAPS.
Can someone tell what are the changes to be done in DUO config file for this.
Also, any downtime required for this?

Assuming you’re using the Authentication Proxy, look here, especially the Optional section: Duo Authentication Proxy Reference | Duo Security
You’ll need to change or add “transport”, add “ssl_ca_certs_file” and have the CA root cert and chain that issued the cert on your DC in a file for that entry to point at.

You have to restart the proxy, so yes to downtime…

1 Like

Thank you @kstieers
Currently authentication is requested from Cisco ASA and DUO sends to AD.
Will there be any change in ASA to Duo config too ?

So if already doing LDAPS from ASA to the DUO Authentication Proxy, then no, no change needed…

For Duo LDAPS, should any change be done in Duo Admin panel as mentioned in this link ?