Selecting authentication resource depending on inbound client

Our Systems people have been runnning a standalone duo proxy server for quite some time and are now in the process of rolling out an F5 bload balanced “production” version. At the moment al authenticatinos are done vi LDAP to our AD service.

I look after our clearpass Policy manager that we use for all our network authentication ( RADIUS/TACACS) and am keen to implement 2FA for network switch access.

I downloaded an evan version of duo proxy and with a bit of tinkering have got it working for all our ComWare/ArubaOS and ArubaCX switches.

The problem of course is that this is in a dev lab with just my clearpas servers and the duo proxy where I can tinker with things as I like.

For TACACS the sequence of events are
Switch passses rtacacs auth to cleaarpass
clearpass uses an auth source “Token Server” to pass auth request to the Duo proxy
Duo performs a radius auth against clearpass to validate the user conecting to the switch ( and does what it does for 2Fa)
Clearpass returns an access accept
Inital TACACS auth completes with an accept
Clearpass passes appropriate TACACS attributes back to the switch to log user in as read only admin, read/write admin whatever … simples! … in a dev environment

My problem is that systems are usi g a default “use ldap” to auth the user so the above wont work.
Also production wise, there will be lots of “hosts” using the duo proxy and probably simple ldap auth will be satisfactory

So from the “Duo Auth Proxy Reference”

Under “Client Sections”

If youv’e created an [ad_client] and a [radius_client]

Can you select which one to use based upon who is passing you an auth request eg …

If a clearpass server with an ip address of a.b.c.d passes an auth request to the proxy use your defined [radius_client], if a web vpn service contacts duo, use the [ad_client]

If th above were possible I could use the system managed DUO procy for TACACS 2FA without having to managed my own DUO