Showing posts with label authproxy. Show all posts
Showing posts with label authproxy. Show all posts

Monday, 22 June 2026

cisco duo authproxy using ldaps cert expired

The DC certs were renewed. The CA that signed them had also been renewed. The ssl_ca_certs_file in authproxy.cfg was now pointing to an old/incorrect CA certificate that no longer matched. This caused the SSL verification to fail and preventing users from logging in.


From the authproxy server. Run this power shell. You'lls need to update the name of DC1.domain.local to match your DC


$tcpClient = New-Object System.Net.Sockets.TcpClient("DC1.domain.local", 636)

$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, {$true})

$sslStream.AuthenticateAsClient("DC1.domain.local")

$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain

$chain.Build($sslStream.RemoteCertificate)

$chain.ChainElements | ForEach-Object {

    $c = $_.Certificate

    Write-Host "Subject: $($c.Subject)"

    Write-Host "Thumbprint: $($c.Thumbprint)"

    Write-Host "---"

}


This should let us know the new thumbprint

Now we can use it to export the certs we need 


$tcpClient = New-Object System.Net.Sockets.TcpClient("DC1.domain.local", 636)

$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, {$true})

$sslStream.AuthenticateAsClient("DC1.domain.local")

$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain

$chain.Build($sslStream.RemoteCertificate)

$caCert = $chain.ChainElements | Where-Object { $_.Certificate.Thumbprint -eq "NEW-CA-THUMBPRINT-HERE" } | Select-Object -First 1

$bytes = $caCert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)

$b64 = [System.Convert]::ToBase64String($bytes, [System.Base64FormattingOptions]::InsertLineBreaks)

$pem = "-----BEGIN CERTIFICATE-----`n$b64`n-----END CERTIFICATE-----"

[System.IO.File]::WriteAllText("C:\certs\DC-CA-new.cer", $pem)

Write-Host "Done - saved to C:\certs\DC-CA-new.cer"


Update authproxy.cfg file

under [ad_client] section

ssl_ca_certs_file=C:\certs\DC-CA-new.cer


Stop/start the authproxy service

net stop DuoAuthProxy && net start DuoAuthProxy

run connection tool again all should be fixed:
C:\Program Files\Duo Security Authentication Proxy\bin> .\authproxy_connectivity_tool.exe

Posted by at No comments:
Labels: , , , ,

Thursday, 15 January 2026

Cisco duo encrypting the password in the authproxy config file

 https://help.duo.com/s/article/2340?language=en_US


Backup

Take a backup of your authproxy.cfg file

Make sure your password is stored in secure password manager


Changes
Run a cmd as admin

Switch into the duo folder /bin directory

run 

C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_passwd.exe

Enter the password to be encrypted

The tool will give you output. 

Copy paste that over the password in the authproxy file

You need to change the variable names to x_protected as well

service_account_password

becomes

service_account_password_protected

Restart the service

Test

If all is working make sure your password is stored in pw manager

Delete any plaintext versions of the authproxy file.

If its not working drop the old config back in, restart service and log a call with duo support

Posted by at No comments:
Labels: , , ,

Tuesday, 13 January 2026

Cisco duo authentication proxy download

 https://duo.com/docs/checksums#windows



Posted by at No comments:
Labels: , , ,

Tuesday, 25 January 2022

2FA on FMC ASA and ASDM

- FMC:

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214756-configure-duo-two-factor-authentication.html#anc7

However, kindly know that this document is describing access for Web users only and not CLI, as CLI access using SSO is not supported for CLI users:

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html#:~:text=SSO%20users%E2%80%94SSO%20users%20have%20web%20interface%20access%20only.


- ASA and ASDM:

Kindly know that ASA CLI and ASDM GUI authentication is only requiring the integration with an external party (e.g. ISE or NPS), however,  for ASA we can configure 2FA for VPN AnyConnect users as below:

https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768

https://duo.com/docs/sso-ciscoasa#:~:text=for%20each%20application.-,Configure%20Cisco%20ASA%20SSO,-Add%20Duo%20Single


But, if we want to use it for CLI access only without VPN, we could use RADIOUS with supposed to be previously configured:

https://community.duo.com/t/secure-cisco-asdm-with-mfa/7516/4



Accordingly, kindly note that directly configuration of 2FA is not yet supported over ASDM, and an enhancement request has been published to document this feature under bug ID (CSCvs85995):

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs85995



Duo service name and tests:

Duo Security Authentication Proxy Service

sc qc DuoAuthProxy

tasklist | findstr proxy_svc.exe

C:\Program Files\Duo Security Authentication Proxy\bin\proxy_svc.exe

Run a powershell as admin:

C:\Program Files\Duo Security Authentication Proxy\bin

.\authproxy_connectivity_tool.exe

Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)