Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
1
Helpful
3
Replies

LDAP Proxy with FireMon

Go to solution
rkehl
Level 1
Level 1

‎12-20-2017 03:04 PM

Hello.

I just implemented a tool called FireMon.

I am able to connect to LDAP by inputting the DUO sever. I matched the keys to the LDAP application within DUO and am fairly sure that the policies of DUO are correct and the users I’m testing are valid, enrolled users. We use the same LDAP Proxy application from DUO and it works with other applications. FireMon is accepting the authentication but DUO is not prompting for 2FA.

FireMon has little information for DUO+LDAP Proxies. Does anyone have any experience with FireMon and setting up 2FA for it or know if it will work?

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎12-22-2017 10:08 AM

  1. Enable debug logging on your Duo proxy and then recreate the issue

  2. Examine the order of LDAP binds in the debug output. Does FireMon Bind as a service account, disconnect, and then bind again as the user logging in? If so, please take a look at the exempt_primary_bind and exempt_ou options documented here.

    The default behavior is to exempt the initial bind request in a connection from 2FA (or else someone would need to approve 2FA for every bind+search the service account does as a precursor to user login).

    If the FireMon does a new connect+bind when switching from the service account to the user, then you’d change exempt_primary_bind to false, and specify your LDAP lookup account DN as exempt_ou.

Duo, not DUO.

View solution in original post

3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎12-22-2017 10:08 AM

  1. Enable debug logging on your Duo proxy and then recreate the issue

  2. Examine the order of LDAP binds in the debug output. Does FireMon Bind as a service account, disconnect, and then bind again as the user logging in? If so, please take a look at the exempt_primary_bind and exempt_ou options documented here.

    The default behavior is to exempt the initial bind request in a connection from 2FA (or else someone would need to approve 2FA for every bind+search the service account does as a precursor to user login).

    If the FireMon does a new connect+bind when switching from the service account to the user, then you’d change exempt_primary_bind to false, and specify your LDAP lookup account DN as exempt_ou.

Duo, not DUO.

Go to solution
rkehl
Level 1
Level 1
In response to DuoKristina

‎12-22-2017 11:46 AM

That worked! Had to have exempt_primary_bind to false and set the exempt_OU. Thanks.

0 Helpful

Go to solution
kev1006
Level 1
Level 1
In response to DuoKristina

‎10-03-2018 10:35 PM

The latest version of Firemon broke our AD integration using LDAP. We met with support and were able to get ADFS integrated in a few minutes. It was pretty trivial to get Duo working with ADFS.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents