Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
1
Helpful
2
Replies

AD users authenticated without confirmation

Go to solution
swinkel
Level 1
Level 1

‎02-13-2024 08:01 AM

I try to secure my Cloud Director infra with DUO.
I already have the Authentication Proxy running and the AD group of the users is synced and visible in the DUO Admin portal.
Within Cloud Director I have added the Authentication Proxy as an LDAP server and imported the users of the group.
But...when I login to the Cloud Director portal I'm authenticated without doing a confirmation within the DUO app
That's not what I want.
This is the config I use:

[ad_client]
host=1.1.1.1
host_2=2.2.2.2
service_account_username=svc_duomfa
service_account_password_protected=<pwd>
search_dn=dc=ccc,dc=bbb,dc=aaa

[ldap_server_auto]
client=ad_client
ikey=<ikey>
skey=<skey>
api_host=apixxxx.duosecurity.com
failmode=secure

[cloud]
ikey=<ikey>
skey=<skey>
api_host=apixxxx.duosecurity.com
service_account_username=<serviceaccount>
service_account_password_protected=<pwd>

What am I overlooking?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎02-14-2024 10:52 AM

The Authentication Proxy assumes that most downstream LDAP applications create an LDAP connection, then perform a bind as the service account, a search for the authenticating user, and another bind as the authenticating user all in the same connection. Therefore the default behavior is to exempt the first bind in a connection from MFA.

Some applications do not do this, and instead they disconnect after performing the user search and then create a new LDAP connection to bind as the user. Since the user bind is the first bind in that connection, it bypasses MFA.

There are some configuration options you can apply to accommodate this "connect-service account bind-reconnect-user bind" behavior to ensure the user is prompted for 2FA. Please see https://help.duo.com/s/article/4989 to learn more about the exempt_primary_bind and exempt_ou settings.

Duo, not DUO.

View solution in original post

2 Replies 2

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎02-14-2024 10:52 AM

The Authentication Proxy assumes that most downstream LDAP applications create an LDAP connection, then perform a bind as the service account, a search for the authenticating user, and another bind as the authenticating user all in the same connection. Therefore the default behavior is to exempt the first bind in a connection from MFA.

Some applications do not do this, and instead they disconnect after performing the user search and then create a new LDAP connection to bind as the user. Since the user bind is the first bind in that connection, it bypasses MFA.

There are some configuration options you can apply to accommodate this "connect-service account bind-reconnect-user bind" behavior to ensure the user is prompted for 2FA. Please see https://help.duo.com/s/article/4989 to learn more about the exempt_primary_bind and exempt_ou settings.

Duo, not DUO.

Go to solution
swinkel
Level 1
Level 1

‎02-15-2024 12:46 AM

Thanks! This indeed solved it.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents