12-20-2017 03:04 PM
Hello.
I just implemented a tool called FireMon.
I am able to connect to LDAP by inputting the DUO sever. I matched the keys to the LDAP application within DUO and am fairly sure that the policies of DUO are correct and the users I’m testing are valid, enrolled users. We use the same LDAP Proxy application from DUO and it works with other applications. FireMon is accepting the authentication but DUO is not prompting for 2FA.
FireMon has little information for DUO+LDAP Proxies. Does anyone have any experience with FireMon and setting up 2FA for it or know if it will work?
Thanks.
Solved! Go to Solution.
12-22-2017 10:08 AM
Enable debug logging on your Duo proxy and then recreate the issue
Examine the order of LDAP binds in the debug output. Does FireMon Bind as a service account, disconnect, and then bind again as the user logging in? If so, please take a look at the exempt_primary_bind
and exempt_ou
options documented here.
The default behavior is to exempt the initial bind request in a connection from 2FA (or else someone would need to approve 2FA for every bind+search the service account does as a precursor to user login).
If the FireMon does a new connect+bind when switching from the service account to the user, then you’d change exempt_primary_bind
to false, and specify your LDAP lookup account DN as exempt_ou
.
12-22-2017 10:08 AM
Enable debug logging on your Duo proxy and then recreate the issue
Examine the order of LDAP binds in the debug output. Does FireMon Bind as a service account, disconnect, and then bind again as the user logging in? If so, please take a look at the exempt_primary_bind
and exempt_ou
options documented here.
The default behavior is to exempt the initial bind request in a connection from 2FA (or else someone would need to approve 2FA for every bind+search the service account does as a precursor to user login).
If the FireMon does a new connect+bind when switching from the service account to the user, then you’d change exempt_primary_bind
to false, and specify your LDAP lookup account DN as exempt_ou
.
12-22-2017 11:46 AM
That worked! Had to have exempt_primary_bind to false and set the exempt_OU. Thanks.
10-03-2018 10:35 PM
The latest version of Firemon broke our AD integration using LDAP. We met with support and were able to get ADFS integrated in a few minutes. It was pretty trivial to get Duo working with ADFS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide