Universal Proxy
 
  • Add VPN and Legacy app on LastPass  Admin Dashboard and download the LDAP agent.
  • Copy the “MFA Key“.

Prerequisites: Java 11
Linux Installation

LDAP

  • Unzip the file “lastpass-proxy.zip” that you downloaded from the LastPass Admin Dashboard. 
  • Open a terminal and execute the following script as the root user:
    sudo sh lastpassproxy/bin/install.sh 
  • The service configuration screen will show up. Select “LDAP” as protocol. Set a listening “Port“. Select a certificate in pfx format containing a public and a private key if you wish to enable secure connections.  
  • Set the “MFA Key” that you retrieved from the LastPass admin portal (Application > Legacy & VPN, copy the LastPass MFA key value and paste it here). 
  • Click on “Next“.

Universal proxy installation 1

Protocol – network protocol to be used by service
Port – listening port
Auth URL – Authentication URL service endpoint
MFA Key – MFA key from the legacy app section of Admin Dashboard
TLS Certificate – provides a certificate file if you wish to enable SSL/TLS connections
Overwrite Bind  – makes all bind requests to succeed

  • Now select the “Server Mode” that better suits your needs.

LastPass for LastPass authentication only
Password or LastPass for password or LastPass authentication
2nd Factor Authentication for LastPass authentication along with password authentication

 

Universal Proxy Installation 2

 

Domain – organization’s domain
Admin User – create an administrator user
Admin Password – set administrator password

If you selected Password or LastPass, or 2nd Factor Authentication, then you’ll be asked to provide your LDAP directory server parameters. 

Universal Proxy Installation 3

 

Host – LDAP directory server name or IP address
Port – LDAP directory server port
TLS – enables secure connections to LDAP server
Admin User – LDAP user with read permissions on directory users

  • Click on the “Install” button. You’ll get a confirmation message. The service will start automatically after installation. You can start, stop and check service status with the following commands:
    service lastpass-proxy start
    service lastpass-proxy stop
    service lastpass-proxy status
  • As an alternative, you can check if service is up and running by checking the listening port with the following command
    netstat -atun | grep :<service_port_number>
 
RADIUS

Only PAP and CHAP modes are supported. Authorization and Accounting are not supported by the service.

  • Unzip the file “lastpass-proxy.zip” that you downloaded from the LastPass Admin Dashboard. 
  • Open a terminal and execute the following script as the root user.
    sudo sh lastpass-proxy/bin/install.sh 
  • The service configuration screen will show up. Select RADIUS as protocol. Set a listening port.

Universal Proxy Installation 4

 

  • Set the “MFA Key” that you retrieved from the LastPass admin portal (Application > Legacy & VPN, copy the LastPass MFA key value and paste it here). 

Universal Proxy 4

  • Set your organization’s domain name in Domain. 
  • Set a Radius secret. 
  • Click on the “Install” button. If everything is ok you’ll get a confirmation message. The service will start automatically after installation. You can start, stop and check service status with the following commands:
    service lastpass-proxy start
    service lastpass-proxy stop
    service lastpass-proxy status 
  •  As an alternative, you can check if service is up and running by checking the listening port with the following command: 
    netstat -atun | grep :<service_port_number> 

 

Text Mode Installation 
  • To install the proxy in text mode execute this command as an administrator: 

    Linux: 
    sudo lastpass-proxy/bin/install.sh nogui 

    Windows: 
    lastpass-proxy/bin/install.bat nogui 

The following is an example of an installation with LDAP protocol and “Password or LastPass” (PLP) mode. Input values are highlighted in bold. Default values are shown in brackets if you wish to use default value just press enter. List of values is shown in square brackets, in this case, you must enter one of the listed values. 

  • Set the “MFA Key” that you retrieved from the LastPass admin portal (Application > Legacy & VPN, copy the LastPass MFA key value and paste it here).
  • Set an application name if you wish to enable user authorization on LastPass side. 
  • The certificate to enable the secure connections must be in pfx format and contain a public and a private key. 

Select the protocol [LDAP, RADIUS, RADSEC] LDAP 
Enter the listening port (1389)    
Enter the authentication URL (https://identity-api.lastpass.com/v2/id) 

Do you wish to enable user authorization? [y, n] y  
Enter the application name VPN Server  
Enter the LastPass MFA key 
Do you wish to enable secure connections [y, n] y   
Enter the certificate path /home/user/cert.pfx   
Overwrite bind response [y, n] (n)    
Select the server mode [LP, PLP, SFA] PLP   
Enter the organization domain client.org   
Enter the LDAP server address dc.client.org  
Enter the LDAP server port  636   
Are secure connections enabled? [y, n] y   
Enter the LDAP administrator user cn=administrator,cn=users,dc=client,dc=org 
service installed   
installation successful 

Available server modes are: 

LastPass (LP) for LastPass authentication only 
Password or LastPass (PLP) for password or LastPass authentication 
2nd Factor Authentication (2FA) for LastPass authentication along with password authentication