product icon

What is LastPass Universal Proxy?

    LastPass Universal Proxy is an on-premises software that receives authentication requests from your network application (for example, a VPN server), then authenticates against your primary authenticator (that is, LDAP or RADIUS server) and/or LastPass Authentication Server using LDAP, LDAPS or RADIUS protocol. LastPass can perform secondary authentication through LastPass' cloud-based Multifactor Authentication (MFA) Server.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

    The following figure shows a simplified example of a basic small business network, where a VPN is part of the network. Using a firewall ensures that the resources within the network are for internal company use only.

    Remote workers are able to securely connect to their company network by using VPN connections. This can be done safely, continuing to keep the data private, by encrypting those connections.

    The VPN server itself can authenticate users or it can delegate the authentication to an LDAP or RADIUS server.

    When the company wants to have a more secure authentication and include MFA for this purpose, LastPass Universal Proxy can be introduced to the network.

    The following figure shows the authentication flow of LastPass Universal Proxy:

    Figure 1. LastPass Universal Proxy Network Diagram
    1. The user logs in through their client.
    2. The Application server forwards the request to the Universal Proxy.
    3. Universal Proxy verifies credentials with primary authentication server (that is, LDAP or RADIUS).
      Note: Connections 2 and 3 must carry authentication requests of the same protocol (that is, both in LDAP or both in RADIUS).

      If you would like to secure the connection and use encryption between the Application server and the LDAP Server, you can use the LDAPS protocol instead of LDAP. For more information, see Using the LDAP over SSL (LDAPS) protocol in the LastPass Universal Proxy setup.

    4. Universal Proxy requests secondary authentication from LastPass Authentication Server.
      Note: Universal Proxy can authenticate against the LDAP/RADIUS server and/or against LastPass Authentication Server, depending on the authentication mode configured. For more information see Server Modes.
    5. LastPass Authentication Server issues MFA challenge.
    6. User completes biometric authentication using the LastPass Authenticator app.
    7. LastPass Authentication Server validates authentication and sends response.
    8. Universal Proxy converts API response to LDAP or RADIUS format and sends result to the Application server.

    Server Modes

    There are three different server modes available when configuring the LastPass Universal Proxy using LDAP, LDAPS or RADIUS protocols. The following table shows a summary of these options, based on whether it requires authentication using the LastPass Authenticator app or using a password.

    Table 1. Authentication Configuration - Server Modes

    LastPass MFA Authentication


    Both LastPass MFA and password authentication


    LastPass MFA or password authentication


    LastPass Authenticator app X X X  
    Require password   X   X
    For more information about the server modes and available factors, see Server mode default authentication methods
    • For the RADIUS PAP/LDAP/LDAPS protocol, when using the LastPass MFA or system password (PLP) mode, you must enter the required factor, that is, push or call in the VPN client password field to opt-in to use the LastPass Authenticator app.
    • If you choose the LastPass MFA Authentication (LP) mode, the LastPass Authenticator app will do the authentication, but it will never communicate with any LDAP/RADIUS server. Also, in LastPass MFA Authentication (LP) mode, it is not necessary to have a LDAP/RADIUS server in the network architecture.

    Policy restrictions

    The "Restrict access by country" policy is not supported by LastPass Universal Proxy. Enabling this policy in the LastPass new Admin Console will lead to authentication issues.
    Tip: To set a location restriction when using LastPass Universal Proxy, enable the following policies:
    • Restrict LastPass Authenticator usage by location
    • Require use of LastPass MFA to accept only LastPass Authenticator login requests