Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4592
Views
0
Helpful
4
Replies

Protecting applications that use LDAP

Gary_Chapman
Level 1
Level 1

‎01-30-2017 09:40 AM

We have a set of application services that directly use an LDAP directory
for username/password authentication. We would like to insert MFA into
this process… is the Duo Access Gateway the tool we would use? Even
though I’ve generally reviewed the DAG documentation, I find it hard to
understand how it can work, such that end-users see the authentication
prompt after entering their username and password.

  • Gary Chapman, NYU IT
Labels:
0 Helpful
4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

‎01-30-2017 11:24 AM

The Duo Access Gateway is used with applications that support SAML 2.0 logins. These are typically cloud-based services.

You can add Duo authentication to almost any service that uses LDAP authentication with our generic LDAP application. You’d install the Duo Authentication proxy application on a local server, configure it to pass authentication requests to your LDAP directory, and then point the applications that use LDAP authentication to your new Duo proxy instead of directly to your LDAP directory server. When you users log into applications using the Duo proxy for authentication they’ll receive an automatic push or phone call as the second factor.

Full deployment instructions for Duo MFA for LDAP can be found here.

Duo, not DUO.
0 Helpful

Gary_Chapman
Level 1
Level 1

‎02-02-2017 07:17 AM

Thanks. We have applications that do LDAP authentication, others that
use Active Directory for authentication, and a couple of services (CISCO-based VPN and
wireless) that use Radius.

Is it plausible to use the Duo authentication proxy for all three of these situations?

  • Gary
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Gary_Chapman

‎02-02-2017 11:57 AM

Yes, all three are potentially possible.

For your applications that do LDAP authentication, you would point them to an Authentication proxy configured with Duo LDAP.

Applications that use AD may also be pointed to the Duo LDAP application on the Authentication Proxy. If this AD directory is not the same one that the LDAP applications use, you can specify multiple LDAP authentication sources in the proxy config, and then multiple [ldap_server_auto] sections to use the different auth sources (if you wanted to power everything from just one Duo server - you could also have multiple Duo proxy servers for your different directories).

And finally, you can run RADIUS and LDAP listeners simultaneously on the same Authentication Proxy server as long as there is no port overlap (which is unlikely if you follow the port conventions for those protocols). Here are instructions for Cisco SSL VPN using RADIUS.

You may want to also review the full Duo Authentication Proxy Reference to see all the options.

Duo, not DUO.
0 Helpful

mknight1
Level 1
Level 1

‎02-02-2017 01:05 PM

It should be noted that the LDAP Proxy is not a complete implementation. Various LDAP aware applications that work fine with Active Directory do not work with the proxy (such as ConnectWise).

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents