Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
3
Helpful
2
Replies

DAP to be configured with both [duo_only_client] and [ad_client]

Go to solution
lima.breno
Level 1
Level 1

‎02-18-2022 10:23 AM

We currently have the DAP implemented for multiple applications and services.
An in all those cases DAP is responsible for the Primary and Secondary Authentication.
Now we want to add Citrix NetScaler, but this time DAP will be responsible only for the Secondary AuthC.

Will I be able to configure DAP with both the [ad_client] and [duo_only_client] options configured?
for example:

[duo_only_client]

[ad_client]
host=x.x.x.x
host2=x.x.x.x
service_account_username=
service_account_password=
seach_dn=DC=xxx,DC=xxx

;For existing Application
[radius_server_auto]
ikey=xxxxxx
skey_protected=xxxxx
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=x.x.x.x
#radius_ip_2=x.x.x.x
radius_secret_protected_1=xxxxxxxxx
#radius_secret_protected_2=xxxxxxxxx
client=ad_client
port=1812
failmode=safe

;For the Citrix implementation
[radius_server_auto]
ikey=xxxxxxx
skey_protected=xxxxx
api_host=■■■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=x.x.x.x
#radius_ip_2=x.x.x.x
radius_secret_protected_1=xxxxxxxxx
#radius_secret_protected_2=xxxxxxxxx
client=duo_only_client
port=1812
failmode=safe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎02-18-2022 11:26 AM

Hi @BrLima ,

Yes, you can have a single Auth Proxy configured to support both ad_client and duo_only_client. Please see https://help.duo.com/s/article/2216.

For the Citrix integration, you would need to either name the server section radius_server_auto2 or use radius_server_duo_only as mentioned in Duo for Citrix Gateway Basic Secondary Authentication Instructions | Duo Security. You would also need to specify a different port for the RADIUS request to listen on as this is how the Auth Proxy maps authn requests to the appropriate application (Duo Authentication Proxy Reference | Duo Security). Otherwise, you would have a port conflict and the Auth Proxy service would not start.

Please also see https://help.duo.com/s/article/1124

Hope this helps!

View solution in original post

2 Replies 2

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎02-18-2022 11:26 AM

Hi @BrLima ,

Yes, you can have a single Auth Proxy configured to support both ad_client and duo_only_client. Please see https://help.duo.com/s/article/2216.

For the Citrix integration, you would need to either name the server section radius_server_auto2 or use radius_server_duo_only as mentioned in Duo for Citrix Gateway Basic Secondary Authentication Instructions | Duo Security. You would also need to specify a different port for the RADIUS request to listen on as this is how the Auth Proxy maps authn requests to the appropriate application (Duo Authentication Proxy Reference | Duo Security). Otherwise, you would have a port conflict and the Auth Proxy service would not start.

Please also see https://help.duo.com/s/article/1124

Hope this helps!

Go to solution
lima.breno
Level 1
Level 1
In response to DuoPablo

‎02-19-2022 04:48 AM

Thanks Pablo!

My bad, when I was making the example I forgot to write the second one to [radius_server_auto2]. And thanks also for the heads up regarding the port, I totally forgot it.

I’m following this guide, as our NetScaler is on version 12.0:

Best regards!

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents