product icon

How to validate if LastPass Universal Proxy v5.x can communicate with your primary authentication server and/or LastPass Authentication Server?

    Problem

    Second-factor authentication (that is, Both LastPass MFA and system password (SFA) server mode) is not working with myLastPass Universal Proxy configuration. I would like to check if Universal Proxy can communicate with the LDAP/RADIUS server and if Universal Proxy can communicate with the LastPass Authentication Server.


    Figure 1. LastPass Universal Proxy Network Diagram

    For more information on server modes, see Server Modes.

    Remedy:

      When choosing the Either LastPass MFA or system password (PLP) server mode you can authenticate either using a password with the primary authenticator (that is, LDAP/RADIUS server, number 3 in the previous image) or with the LastPass Authenticator app (that is, LastPass Authentication Server, number 4 in the previous image). Therefore, you can check separately whether the authentication works with LDAP/RADIUS server or the LastPass Authentication Server. Change the server mode in the Universal Proxy configuration to PLP:

      1. Open a terminal window based on your OS:
        Operating System Instructions
        Windows Open Command Prompt as an administrator.
        Linux CLI The terminal window is used by default.
        Linux with graphical user interface Open the Terminal app.
        MAC Open the Terminal app.
      2. Give the docker image a friendly name by executing the following command:
        docker tag <imageID> <friendlyname>

        For more information, view the Docker tag article.

      3. Create a volume to store the configuration and log files on your host OS. This volume must be mounted into the container on the guest OS.
        Set the /usr/local/universalproxy/volume path as mount point. For more information about creating a volume, view using volumes.
      4. Configure LastPass Universal Proxy v5.x by performing the following command:
        docker run -v <nameofthevolume>:/usr/local/universalproxy/volume -it --rm <dockerimagerepository>:<dockerimagetag> -configurationTool
        Command example
        docker run -v universalproxy:/usr/local/universalproxy/volume -it --rm lastpass/universalproxy:5.0.0 -configurationTool
      5. When configuring the server setup in the Challenge mode field, choose Either LastPass MFA or system password [PLP].
      6. Complete the configuration.
      7. Once configured, start the container as follows:
        • LDAP:
          docker run --name=<friendlyname> -v <nameofthevolume>:/usr/local/universalproxy/volume -p <portofthecontainer>:389 -dit -e TZ=UTC <dockerimagerepository>:<dockerimagetag>
          Command example
          docker run --name=universalproxy -v universalproxy:/usr/local/universalproxy/volume -p 389:389 -dit -e TZ=UTC lastpass/universalproxy:5.0.0
        • RADIUS
          docker run --name=<friendlyname> -v <nameofthevolume>:usr/local/universalproxy/volume -p <RADIUSserverport>:1812/udp -p <listeningaccountingportofRADIUS>:1813/udp -dit -e TZ=UTC <dockerimagerepository>:<dockerimagetag>
          Command example
          docker run --name=universalproxy -v universalproxy:/usr/local/universalproxy/volume -p 1812:1812/udp -p 1813:1813/udp -dit -e TZ=UTC lastpass/universalproxy:5.0.0
        For detailed instructions, view the following articles:

      Log in to your VPN client

      1. Check if Universal Proxy can communicate with the LastPass Authentication Server:
        • If you use the LDAP/LDAPS protocol, enter less than 4 characters in the password field, to use the LastPass Authenticator app and receive a push notification.
        • If you use the RADIUS protocol enter an asterisk (*) in the VPN client password field to use the LastPass Authenticator app and receive a push notification.

        Result:

        If you receive a push notification it means Universal Proxy can communicate with the LastPass Authentication Server.

        If you do not receive a push notification it means Universal Proxy cannot communicate with the LastPass Authentication Server.

      2. Check if Universal Proxy can communicate with the LDAP/RADIUS server:
        • Log in to your VPN client with your test user’s credentials.

        Result:

        If the authentication works, and you can log in, it means Universal Proxy can communicate with the LDAP/RADIUS server.

        If the authentication fails and you cannot log in, it means Universal Proxy cannot communicate with the LDAP/RADIUS server.