cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
1
Replies

Why is not recommend installing the DAP on the same Windows AD?

Hi All,

I found an odd statement in the DAP reference guide.

We do not recommend installing the Duo Authentication Proxy on the same Windows server that acts as your Active Directory domain controller or one with the Network Policy Server (NPS) role. If you must co-locate the Duo Authentication Proxy with these services, be prepared to resolve potential LDAP or RADIUS port conflicts between the Duo service and your pre-existing services.

In my opinion, It can immediately imagine that installing DAP to AD would not cause any port conflicts. In fact, I have tested it according to the attached topology and setup and can confirm that it works as expected.
Why is it not recommended to install DAP to AD? Has anyone else implemented it with the same idea as mine and encountered problems? I don’t understand why it is not recommended.


Regards,
Raima

1 Accepted Solution

Accepted Solutions

DuoPablo
Cisco Employee
Cisco Employee

Hi @Raima ,

Please see the following KB article for reasons why it may cause issues having the Auth Proxy service running on a Domain Controller/shared server: Knowledge Base | Duo Security

  • It can disrupt access to applications if other services cause the operating system to become unstable and the system requires a reboot.
  • It leads to competition for CPU, memory, and disk resources.
  • It makes troubleshooting efforts like packet capturing more difficult, as you will need to filter through other traffic hitting the server.
  • Forwarding authentication requests to other authentication services that reside on the same system (such as NPS, AD, RSA) over the local loopback adapter can lead to authentication issues.
  • It can lead to potential port conflicts for RADIUS or LDAP authentication services.

Since you appear to be using only a RADIUS server section and not an LDAP server section within the authproxy.cfg, no LDAP port conflicts would exist.

Hope this helps!

View solution in original post

1 Reply 1

DuoPablo
Cisco Employee
Cisco Employee

Hi @Raima ,

Please see the following KB article for reasons why it may cause issues having the Auth Proxy service running on a Domain Controller/shared server: Knowledge Base | Duo Security

  • It can disrupt access to applications if other services cause the operating system to become unstable and the system requires a reboot.
  • It leads to competition for CPU, memory, and disk resources.
  • It makes troubleshooting efforts like packet capturing more difficult, as you will need to filter through other traffic hitting the server.
  • Forwarding authentication requests to other authentication services that reside on the same system (such as NPS, AD, RSA) over the local loopback adapter can lead to authentication issues.
  • It can lead to potential port conflicts for RADIUS or LDAP authentication services.

Since you appear to be using only a RADIUS server section and not an LDAP server section within the authproxy.cfg, no LDAP port conflicts would exist.

Hope this helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links