Contents
Release notes for recent Authentication Proxy versions.
Download the current release from the Checksums and Downloads page.
We encourage all customers to regularly upgrade to the latest Duo Authentication Proxy release to receive feature and security updates.
Version 6.4.2 - October 21, 2024
- Adds the configuration option
force_message_authenticator
toradius_server
modules.- Set
force_message_authenticator
totrue
to force the Authentication Proxy to include amessage-authenticator
attribute in reply packets.
- Set
- Ensures that reply packets containing a
message-authenticator
attribute send that as the first attribute.
Version 6.4.1 - May 8, 2024
- Fixes a resource leak related to failed TLS connections in
ldap_server_auto
. - Please review the information in the 6.4.0 release note. If you experience issues with LDAPS/STARTTLS connections after installing 6.4.1, and your certificate(s) have key lengths less than 2048, see Duo KB article 8866 for a workaround.
Version 6.4.0 - April 30, 2024
- Fixes unnecessarily strict Connectivity Tool validation of
ldap_server_auto
SSL certificates. - Improves logged error messaging for
AD DIR_ERROR
responses. - The Authentication Proxy Manager now displays additional error information in certain failure scenarios.
- Updates the internal build process to use scoped package names.
- Upgrade to Cryptography 42.0.5 / OpenSSL 3.2.1 to address CVE-2024-26130, CVE-2023-50782, and CVE-2024-0727.
- This version of OpenSSL changes the default SSL/TLS security level from
1
to2
. As a result of the default security level change, certificates with key lengths less than 2048 are no longer acceptable for inbound and outbound SSL, LDAPS, or STARTTLS connections to the Authentication Proxy. Our recommendation is that you reissue your certificates with key lengths of 2048 or greater. If you cannot update your certificates now, a workaround is available. Please see Duo KB article 8866 for details.
- This version of OpenSSL changes the default SSL/TLS security level from
- Upgrade Python to 3.11.9 to address CVE-2023-6597 and CVE-2024-0450.
- Upgrade OpenSSL FIPS module to 3.0.9 to address CVE-2023-1255.
- Updates various internal dependencies.
- These dependency updates affect use of the Duo Authentication Proxy Manager tool on Windows Server versions 2012 R2 and older, which have reached end-of-support status with both Duo and Microsoft. Please see the Duo End of Sale, Last Date of Support, and End of Life Policy for more information.
Version 6.3.0 - February 6, 2024
- Fixes sort order of factors from preauth result.
- Fixes OpenSSL error when enabling FIPS mode on certain systems.
- Updates Python to 3.11.7 to address CVE-2023-36632, CVE-2023-24329, CVE-2023-40217, CVE-2023-27043, and CVE-2007-4559.
- Updates various internal dependencies to resolve CVEs including CVE-2023-49083, CVE-2023-46137, CVE-2022-40898, CVE-2021-32559, and CVE-2022-42969.
Version 6.2.0 - November 28, 2023
- Connectivity checker no longer rejects ECC SSL keys.
- Improves integration with systemd on Linux systems.
- Improves handling of corrupted SSO configuration file.
- IFrame reconfiguration script no longer creates duplicate configuration sections.
- Resolves various CVEs including CVE-2023-5363, CVE-2023-4807, and CVE-2022-40897.
Version 6.1.0 - September 19, 2023
- Restores the default for
allow_concat
tofalse
in theradius_server_eap
section. - Fixes various bugs in
radius_server_eap
functionality. - No longer logs configured server sections twice at startup.
- Authentication Proxy upgrades no longer fail when there is a subdirectory inside the
conf
directory. - The Windows service now correctly installs/uninstalls when there is an invalid authproxy.cfg.
- Provides a utility script to assist with converting
radius_server_iframe
sections toradius_server_auto
. See Guide to Duo's iFrame Reconfiguration Script. - Updates Cryptography to 41.0.3.
- Updates OpenSSL to 3.1.2.
Version 6.0.2 - July 24, 2023
- The value for
allow_concat
in theradius_server_eap
section now correctly defaults toTrue
. - The Authentication Proxy connectivity tool and Authentication Proxy Manager now raise an exception if the Authentication Proxy is given a password-protected certificate.
- Fixed a resource leak related to failed TLS connections.
Version 6.0.1 - June 14, 2023
- Resolves an issue in version 6.0.0 (CVE-2023-20207 Cisco Security Advisory) where some configurations would output plain-text secrets to
authproxy.log
during proxy service start.
Version 6.0.0 - June 7, 2023
- SHA1 signed certificates are no longer supported for LDAPS or StartTLS connections. This affects Duo Single Sign-On Active Directory authentication, Active Directory Sync, OpenLDAP Directory Sync, and
ad_client
configuration for RADIUS or LDAP authentication. SHA1 certificates issued to Active Directory domain controllers or LDAP directory servers must be reissued as SHA256 or greater. If a SHA256+ certificate cannot be obtained, the alternative is to use unsecured (CLEAR) transport. - NTLM1 is disabled in FIPS mode, and deprecated in non-FIPS mode.
- Linux installer now supports ARM64/AARCH64 in addition to the existing AMD64/x64 support.
- Updated Cryptography to 40.0.2 to address CVE-2020-25659 and CVE-2020-36242.
- Updated OpenSSL to 3.1.1.
- Updated Python to 3.8.16 to address CVE-2022-26488, CVE-2016-3189, CVE-2019-12900, CVE-2018-25032, CVE-2020-10735, and CVE-2022-37454.
Version 5.8.2 - June 14, 2023
- Resolves an issue in version 5.8.1 (CVE-2023-20207 Cisco Security Advisory) where some configurations would output plain-text secrets to
authproxy.log
during proxy service start.
Version 5.8.1 - May 10, 2023
- Fixed an issue where SSO logins that timed out would be incorrectly interpreted as bad credentials.
- Fixed an issue where the configuration check would no longer incorrectly report a problem with the
transport
value of an ad_client section ifssl_verify_hostname
is not specified. - Now verifies that configured applications (specified by
ikey
) are named or generic RADIUS, LDAP, or directory sync applications intended for use with the Authentication Proxy. Using a mistyped integration may generateHTTP 403
messages in theauthproxy.log
but does not affect user authentication. We encourage to you use the correct application types in your Authentication Proxy configurations.
Version 5.8.0 - February 15, 2023
- Removes git commit hashes from binaries and folder names.
- The
authproxy_support
script now honors thelog_dir
configured in[main]
section ofauthproxy.cfg
;--log-dir
script argument removed. - Sends a user's distinguishedName (DN) back to Duo Single Sign-On on a failed SSO AD authentication.
- Nested
conf
directories underneath the Authentication Proxy'sconf
directory are no longer valid (i.e./opt/duoauthproxy/conf/conf/certs.crt
). - Fixed a bug causing
Proxy-State
to be duplicated in RADIUS responses. - Updated to Twisted 22.4.0 to resolve CVE-2022-24801.
- Additional bug fixes and enhancements.
Version 5.7.4 - November 8, 2022
- Improved logging for LDAP timeouts.
- The Authentication Proxy Manager and connectivity tool now warn against use of 'clear' transport in
ad_client
with certificates specified. - Removes the misleading
no reply message in packet
RADIUS error message to reduce confusion while troubleshooting authentication failures. - No longer duplicates the
proxy-state
RADIUS attribute when both the RADIUS client and server configuration sections specifypass_through_all=true
. - The connectivity tool no longer exits prematurely when it fails to connect to a RADIUS server that is not running.
- Fixed an issue that could result in multiple redundant connections to the Duo SSO service in certain race conditions.
Version 5.7.3 - August 30, 2022
- Corrected an issue where the Authentication Proxy incorrectly included a reply message in EAP packets.
Version 5.7.2 - June 23, 2022
- Fixed an issue where
make
would not build the Authentication Proxy ifTERM_PROGRAM
was set on Linux. - Removed extraneous dependencies.
Version 5.7.1 - May 26, 2022
- Updated to Python 3.8.12 to resolve CVE-2020-14422 and CVE-2021-29921.
Version 5.7.0 - May 9, 2022
- Twisted has been updated to include the fix for CVE-2022-21712.
- The Windows Authentication Proxy binaries are now all signed.
- Added
LimitNOFILE
option to the Linux Authentication Proxy systemd init script to maximize authentication performance. - Fixed traceback when the last
[cloud]
section is invalid.
Version 5.6.1 - March 28, 2022
- OpenSSL has been updated to include the fix for CVE-2022-0778.
- The Authentication Proxy Manager now correctly recognizes error return codes for unparseable configuration files.
- The Authentication Proxy Manager now correctly recognizes
api_host
entries with multiple hyphens as valid.
Version 5.6.0 - February 14, 2022
- The Windows Authentication Proxy now ships with the Duo Authentication Proxy Manager. This tool allows for configuring the Authentication Proxy, validating the configuration, and starting or stopping the Authentication Proxy service.
- The
authproxy_connectivity_tool
now exits with code2
if there were connectivity issues. - The Linux Authentication Proxy installer now prompts the user to ask if the SELinux module should be installed if run interactively, and accepts
--enable-selinux=yes|no
at the command line. - Fixed a bug causing the SELinux module installation to not work with custom installation directories.
Version 5.5.1 - January 19, 2022
- Introduced initial support for multiple Active Directory authentication sources with Duo Single Sign-On.
- An invalid
[cloud]
section inauthproxy.cfg
no longer interferes with other valid[cloud]
configuration sections. - Fixes an issue that caused the Authentication Proxy not to reconnect to Duo automatically for SSO and Directory Sync after a period of degraded network connectivity.
- The Linux installer correctly expands tilde characters in the install path.
- Mutes excessive tracebacks caused by rapidly opening and then closing incoming connections to
ldap_server_auto
configured withad_client
. - The Linux installation script creates the necessary SELinux configuration (if appropriate) to allow start of the Authentication Proxy with systemd.
Version 5.5.0 - October 13, 2021
- Adds support for Duo Single Sign-On expired password resets.
- Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2x to address the NULL pointer dereference issue described in CVE-2020-1971.
- Verified on Windows Server 2022.
Version 5.4.1 - September 15, 2021
- Fixes a spurious "no service account username is provided" warning from the connectivity tool when using Windows integrated authentication (SSPI).
- Now reports the error code during SSPI negotiation failure.
- Strips leading or trailing whitespace from RADIUS usernames during
radius_iframe
authentications. - Restricts access to the Authentication Proxy
bin
folder on Windows at installation. - Upgrades a third-party library to address memory leaks during authentications.
Version 5.4.0 - July 22, 2021
- Now suppresses system restarts by the Microsoft Visual C++ Redistributable installer during Authentication Proxy installation on Windows.
- Improves the error messaging when user
msds-principalname
lookups fail. - The configuration checking performed by the connectivity tool now reports common misconfigurations for service account and authentication type combinations.
- Improves the log messaging when the Authentication Proxy attempts to determine use of password and factor concatenation.
- Improves the error messaging when LDAP authentications fail because the service account bind failed.
- The SIEM logging output to
authevents.log
now includes the client section name whenever possible. - The Windows-only password encryption utility now also decrypts previously-encrypted passwords in a configuration file.
Version 5.3.1 - July 7, 2021
- Corrects an issue running the connectivity tool on Windows while the Authentication Proxy itself was running.
- Fixes a condition that caused incorrectly-colored connectivity tool output.
- Updates the Authentication Proxy's Windows service error exit code from
1
to575
.
Version 5.3.0 - April 26, 2021
- Timestamps in
authproxy.log
output now show milliseconds. - The
authproxy_passwd
tool now preserves comments when encrypting all passwords and secrets in theauthproxy.cfg
file with the--whole-config
option. - When
security_group_dn
is defined in anad_client
section, the connectivity tool confirms that an LDAP search for the group distinguished name returns a result. - Fixes the connectivity tool's error detection for mismatched TLS certificate keypairs.
- When upgrading an existing install, the Authentication Proxy installer runs the connectivity tool to validate your configuration for correctness.
Version 5.2.2 - April 12, 2021
- Corrects logging message when SSL certificate and key did not match.
- RADIUS timeouts logging reports correct information about what servers have been contacted.
- The connectivity tool warning about RADIUS server availability is now displayed in yellow text.
- Adds a default timeout for ping calls during proxy connection issues to Duo.
- Suppresses error messages about quickly-terminated LDAP connections.
Version 5.2.1 - March 25, 2021
- Addresses an elevation of privilege vulnerability in the Duo Authentication Proxy for Windows installer which could allow an authenticated local attacker to overwrite files in privileged directories (CVE-2021-1492). The vulnerability was limited to the Windows installer only, and did not affect the application once installed. This vulnerability does not apply to any version of Duo Authentication Proxy for Linux.
Version 5.2.0 - February 2, 2021
- Adds support for multiple
[cloud]
sections, which enables a single Duo Authentication Proxy to service more than one Active Directory or OpenLDAP directory sync. Learn more. - The connectivity tool now displays warnings in yellow.
- Improved error messaging when a
User-Password
attribute is missing in challenge response forradius_server_challenge
. - Corrected an issue preventing silent install on Windows.
- LDAP channel binding no longer fails when the server's certificate uses the RSASSA-PSS signature algorithm.
- Fixed a bug causing authentications to fail when using SMS as a second factor with
radius_server_eap
. - Fixed a bug where local versions of Python packages interfered with Duo Authentication install on Linux.
- The connectivity tool now utilizes the configured HTTP proxy.
- Adds support for additional EAP and PEAP authentication methods like EAP-MSCHAPv2 in
radius_server_auto
.
Version 5.1.1 - November 23, 2020
- Fixed a bug causing MPPE key decryption to fail when MPPE was used with an
EAP-message
attribute. - Addresses an issue in prior v5.x.x releases where the running proxy stops responding to incoming RADIUS requests.
- Added the Microsoft Visual C++ 2015-2019 Redistributable to the Windows Authentication proxy installer to ensure all required DLLs are present on the target system.
Version 5.1.0 - November 4, 2020
- Adds the
authproxyctl
executable to Windows installations. This can be used to start or stop the Authentication Proxy from the command line, or show the version of the running proxy. When used to start the proxy, the output of the connectivity tool is shown in the command prompt window. - The Windows installer now starts the Duo Authentication Proxy after a version upgrade if the service was running when the upgrade started.
- Updates the Authentication Proxy's bundled OpenSSL to version 1.0.2w to address CVE-2020-1968.
- The connectivity tool now checks for newer versions of the Authentication Proxy.
- The default
authproxy.cfg
file installed on Windows no longer contains Unix line endings, so it may be edited with Notepad. - Improved error messaging when unable to establish an SSL connection when using FIPS mode.
- Improved error messaging when a StartTLS connection can not be established for Directory Sync or Duo Single Sign-On (SSO).
- Improved error messaging for Directory Sync and Duo SSO when attempting to use the "Integrated" authentication type with a Linux Authentication Proxy.
- The
minimum_tls_version
option now accepts mixed-case values. - The connectivity tool no longer incorrectly reports an error when
pass_through_attr_names
is used with[radius_client]
. - Corrected an issue where SSL verification was disabled if an empty or invalid file was provided for ssl_ca_certs_file.
- An exception no longer occurs if a non-string username attribute is used with Duo SSO.
- RADIUS authentications no longer fail if some MPPE attributes are present but the Send Key and Receive Key are missing.
- Fixed a bug causing the Authentication Proxy to parse values in the configuration file as multi-line values if they were accidentally indented.
- Corrected an issue where installed files did not have the correct permissions on Linux.
Version 5.0.2 - September 28, 2020
- No longer adds
Message-Authenticator
to RADIUS packets where it was not already present. - Fixed an issue preventing Authentication Proxy startup when using the
pass_through_attr_names
RADIUS setting. Note that thepass_through_attr_names
andpass_through_all
options are only valid when used withradius_client
; specifying these parameters for RADIUS server sections that make use ofad_client
orduo_only_client
prevents the Authentication Proxy service from starting.
Version 5.0.1 - September 3, 2020
- Corrects an issue causing incorrect
Message-Authenticator
values when configured as a RADIUS pass-through attribute.
Version 5.0.0 - August 17, 2020
-
The Authentication Proxy binaries for Windows have been migrated from 32-bit to 64-bit. Duo supports installing the Authentication Proxy on Windows Server 2012 and later, which are 64-bit operating systems.
The installation file path has changed accordingly, from
C:\Program Files (x86)\Duo Security Authentication Proxy
in previous versions toC:\Program Files\Duo Security Authentication Proxy
. If yourauthproxy.cfg
file contains any references to the 32-bit installation path, for example, if you specified the absolute path to your SSL certificate file, the v5.0.0 installer updates those references to the new installation destination.This change has no effect on Authentication Proxy releases for Linux.
-
Primary LDAP authentication with
[ad_client]
now supports integrated Windows authentication via SSPI using both NTLMv2 and Kerberos with theauth_type=sspi
option. -
Primary LDAP authentication with
[ad_client]
now supports LDAP Signing plus LDAP Encryption (also known as "Sign and Seal") for thentlm2
andsspi
authentication types when using CLEAR transport. Refer to the Duo KB article Does the Duo Authentication Proxy support "Sign and Seal"? for additional details. -
Extends LDAP channel binding support to NTLMv2 authentication.
-
LDAP anonymous bind identification now conforms with LDAP RFC 4513.
-
Now supports LDAP binds using
samAccountName
and Common NameCN
style usernames, including forexempt_ou
username to Distinguished NameDN
match. -
The connectivity tool issues a warning when the
[ad_client]
authentication type issspi
(Windows integrated) and LDAP account username/password are also provided. -
Now consistently respects the order of the factors specified via the
factors
optional setting for[radius_server_auto]
and[ldap_server_auto]
. -
RADIUS authentication now handles MPPE responses properly per RFC 2548.
-
RADIUS
authenticator
andMessage-Authenticator
verification succeeds when a packet includes multiple non-adjacent attributes of the same type. -
Fixed an issue where incorrectly encoding attributes in RADIUS packets may have resulted in the Authentication Proxy failing to process further RADIUS packets, causing a Denial of Service (DoS) condition.
-
Logging enhancements.
Versions Before 5.0.0
Version 4.0.2 - July 22, 2020
- Updated the embedded Python version to 3.8.4, to address Python CVE-2020-1552. We urge that customers running v4.0.0 or v4.0.1 upgrade to this version.
- This is the last 32-bit Authentication Proxy release.
Version 4.0.1 - June 10, 2020
- Fixed a bug where certain vendor-specific RADIUS attributes were not passed through correctly.
- The Authentication Proxy will not attempt to constantly connect to the Duo Single Sign-on service with expired credentials.
- Fixed a bug with binary LDAP attributes that caused certain authentications to fail.
- Fixed a bug that caused the Windows
authproxy_passwd
tool to fail for secrets containing the%
character. - The error output when the Authentication Proxy cannot start TLS encryption due to missing configuration is clearer.
Version 4.0.0 - May 11, 2020
- The Authentication Proxy is now packaged with and runs on Python 3.
- When installed on Windows, directory permissions restrict access to the
conf
directory to the built-in Administrators group. - Improved directory sync performance when syncing large groups from Active Directory.
- Fixed a bug causing RADIUS authentications to fail for usernames with non-ASCII characters.
- Duo application
ikey
values are now properly captured in the authentication log during RADIUS authentication.
Version 3.2.4 - March 17, 2020
- Full support for unicode usernames and passwords when used for Duo Single Sign-On authentication to Active Directory.
Version 3.2.3 - March 10, 2020
- RADIUS Challenge responses now correctly include
Proxy-State
attribute values.
Version 3.2.2 - February 25, 2020
- Fixed a bug causing
NTLM
andSSPI
authentications to fail in rare cases. - Support for Windows Server 2008 R2 ended in January 2020. The minimum supported Windows version is Windows Server 2012. Future releases of the Authentication Proxy may not function on unsupported operating systems.
Version 3.2.1 - December 2019
- Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.
Version 3.2.0 - December 2019
- Fixed a bug causing
failmode
andprompt_format
configuration values to be case-sensitive. - The
primarygroup
is now checked when determining if an AD/LDAP (ad_client
) user is a member of the configuredsecurity_group_dn
group. - Added support for
LDAPCompareRequest
LDAP message when the proxy is acting as an LDAP server. - Support additional username formats for
exempt_ou
matching when the proxy is acting as an LDAP server. - Ignores service account credentials when using the "Integrated" (SSPI) authentication type for the Authentication Proxy's connection to your AD Authentication source to support Duo Single Sign-On. If provided in the
[cloud]
config for use with AD Sync, the service account credentials will be used to negotiate NTLM over SSPI. - Events in the SIEM-consumable
authevents.log
now contain the authentication proxy hostname and theIKEY
(Integration key) of the protected application. - Fixed case where logging incorrectly indicated
failmode
was invoked when an invalidSKEY
(Secret key) was used. - The Windows installer now reports if there was an error installing the "Duo Authentication Proxy" service.
- Proxy startup is prevented if an
ldap_server_auto
section has no associatedad_client
section. - Bug fixes and enhancements to the connectivity tool.
Version 3.1.1 - September 2019
- Third-party cryptography library update to address a known issue which could cause memory leaks that affected performance.
Version 3.1.0 - July 2019
- New
delimited_password_length
optional configuration setting for RADIUS Auto, RADIUS Concat, and LDAP Auto supports Duo factor or passcode append after a fixed-length password without specifying a delimiter character. - Improved logging when the Authentication Proxy cannot contact Duo for directory sync.
- The
authproxy_support
tool reports the full path to the generated output file. - Fixed a memory leak that could manifest with specific types of certificate files which affected the proxy's performance.
- Allows mixed-case values for the
prompt
,type
, andfailmode
configuration settings. - Logging of RADIUS and LDAP messages now contain the username.
Version 3.0.0 - March 2019
- Now defaults to TLS 1.2 when acting as an SSL server (
[radius_server_eap]
or[ldap_server_auto]
). Opt into a lower TLS version with theminimum_tls_version
configuration option. - Now creates a new user (default name
duo_authproxy_svc
) during installation to run the proxy server on Linux. - Now creates a new group (default name
duo_authproxy_grp
) during installation on Linux. This group owns the/opt/duoauthproxy/log
folder and all of its files. - Fixed a bug that prevent the
authproxy_support
tool from being run from in any directory. - Fixed a bug that caused errors when clients connected and disconnected very quickly.
- Fixed small bugs in the connectivity tool configuration validation.
Version 2.14.0 - February 2019
- Created a script that puts the Authentication Proxy into primary only mode, which temporarily only validates first factor authentication and skips secondary authentication for any configuration that allows "fail open" behavior.
- Added a support tool that sanitizes and packages config and log files into a zip file you can send to Duo Support when troubleshooting issues.
- Improved logging during Active Directory or OpenLDAP directory synchronization.
- Introduced support for
[http_proxy]
sections to use a configuredinterface
.
Version 2.13.0 - January 2019
- Colorized the output of the connectivity tool when run interactively for better readability.
- Improvements and additions to the connectivity tool configuration and validation checks, including validation of dependencies across sections.
- The connectivity tool now uses your configured
http_proxy_host
to test connections. - Improved logging for security and debugging purposes.
Version 2.12.1 - January 2019
- Corrects an issue which prevented usage of unicode characters in the
authproxy.cfg
file.
Version 2.12.0 - January 2019
- Introduces new configuration options
minimum_tls_version
andcipher_list
for hardening the TLS configuration of the Authentication Proxy when acting as an SSL server ([radius_server_eap]
or[ldap_server_auto]
). - OpenSSL is now built along with the Authentication Proxy on Linux. Admins no longer need to install OpenSSL separately as a prerequisite.
- Perl and zlib are now prerequisites for building the Authentication Proxy on Linux.
- The Authentication Proxy now validates parts of your configuration at startup and when running the connectivity tool.
- FIPS mode for Windows and Linux.
- Corrected an issue with logins from authorized networks not bypassing 2FA.
Version 2.11.0 - November 2018
- Added support for channel binding validation during LDAP authentication over SSL/TLS on Windows Server. See KB 4034879 for more information about the
LdapEnforceChannelBinding
setting. - The connectivity troubleshooting tool now checks that the api_host in a
[cloud]
section is accessible. - Corrected an installation issue on Linux systems due to the PYTHON environment variable.
- Reworded fail mode result messages to improve logging consistency.
Version 2.10.1 - September 2018
- Corrected an installation issue on Linux systems.
Version 2.10.0 - September 2018
- Added a new flag to
authproxy_passwd
that allows you to encrypt all the passwords and secrets in the configuration at once. - Fix bug in Authentication Proxy Connectivity Tool that caused us to report an incorrect time drift.
- Added 2fa factor used to the SIEM digestible log output (
authevents.log
). - Simplified example content in the
authproxy.cfg
file shown at first use.
Version 2.9.0 - May 2018
- Introduced new connectivity troubleshooting tool.
- Python 2.7 now bundled with Authentication Proxy install.
- The HTTP Proxy feature now accepts CIDR ranges as permitted
client_ip
values. - Previous 2.8.1 Windows-only EAP/TLS 1.2 fix for NetMotion implemented in Linux proxy as well.
Version 2.8.1 - March 2018
- Corrected issue with EAP and TLS 1.2 for NetMotion EAP clients.
- Released for Windows only.
Version 2.7.0 - December 2017
- Supports OpenSSL 1.1.0.
- New LDAP server option:
allow_unlimited_binds
. - Additional bug fixes.
Version 2.6.0 - October 2017
- Password authentication for OpenLDAP and AD sync.
- Fixed bug that caused an authentication event to be logged twice in
authevents.log
. - Additional bug fixes.
Version 2.5.4 - August 2017
- SIEM-consumable authentication event logging with new configuration option
log_auth_events
. - Corrected
ad_client
host failover behavior when usingldap_server_auto
. - Additional bug fixes.
Note: Interim versions between 2.4.21 and 2.5.4 are internal builds not released to customers.
Version 2.4.21 - March 2017
- Linux logging fix
- Bug fixes
Version 2.4.20 - February 2017
- Bug fix for premature TLS disconnect
Version 2.4.19 - December 2016
- LDAPS bug fixes
Version 2.4.18 - December 2016
- Ease-of-use improvements to authproxy.cfg file
- Updated to OpenSSL 1.0.2h and PyOpenSSL to 16.2
- RADIUS and LDAP bug fixes
- Fixed inappropriate fail open behavior when api_timeout is reached (DUO-PSA-2016-002)
Version 2.4.17 - May 2016
- Enhanced authentication proxy configuration reporting to Duo
- Fixed handling of primary authentication failures in radius_server_eap (DUO-PSA-2016-001)
Version 2.4.16 - May 2016
- Fixed handling of missing LDAP passwords (DUO-PSA-2016-001)
Version 2.4.15 - May 2016
- Debug logging to file obscures password information
- Improved handling of NTLM and UPN Active Directory authentication
- Improved handling of mixed format line endings in the config file
- Checks config file for duplicate sections at proxy start
Version 2.4.14.1 - February 2016
- Directory Sync and HTTP Proxy bug fixes
Version 2.4.14 - December 2015
- New LDAP server option:
allow_searches_after_bind
- Updated EULA
Version 2.4.13 - November 2015
- Added support for proxying HTTPS traffic from Duo client applications:
http_proxy
Version 2.4.12 - August 2015
- Updated to OpenSSL 1.0.1p
- Handling for Palo Alto Client-IP attribute
Version 2.4.11 - March 2015
- Updated to OpenSSL 1.0.1m
Version 2.4.10 - March 2015
- Updated to OpenSSL 1.0.1l
- LDAP enhancements and improved logging
- Fix proxy startup on Ubuntu LTS
- New RADIUS exemption option:
exempt_username_1
- RADIUS client Message-Authenticator validation
Version 2.4.9 - February 2015
- Improved logging
- AD Sync improvements
Version 2.4.8 - November 2014
- AD Sync connection detection
Version 2.4.7 - November 2014
- Fixes for Linux hosts
Version 2.4.6 - October 2014
- Updated to OpenSSL 1.0.1j
- AD Sync performance enhancement
Version 2.4.5 - September 2014
- AD domain discovery feature in ad_client:
domain_discovery
- AD Sync improvements
Version 2.4.4 - August 2014
- AD Sync improvements
- Fix LDAP filter extensions
Version 2.4.3 - July 2014
- Update ad_client time out logic
- RADIUS and LDAP bug fixes
Version 2.4.2 - June 2014
- Updated to OpenSSL 1.0.1h
- TLS 1.2 support
- HTTPS proxy support for AD Sync
-
Support for syslog forwarding (Linux/Unix only):
log_file
,log_syslog
,syslog_facility