Windows Forum·65,826 discussions

Accessing VPN using DUO append mode locking users out

We are using RRAS and DUO for out 2FA. Some users have older phones, so we have some hardware tokens for them. We are trying to use those tokens using append mode with their password. They are able to successfully connect, but within a minute their accounts are locked out. I have disabled credential manager from storing any values. Its like windows is trying to reconnect to drives with the new credentials.

Using append mode example:
Username: jdoe
Password: Secure
Hardware token: 123456789

So when logging in the user enters in their username, and for the password they enter Secure,123456789

DUO has been of no support. We are thinking it might be something in our configuration file, or maybe there is something else on the server on our side that we need to modify. Has anyone else run into this, or have a solution?

Topic

Not this supplier but others.

In reply to Accessing VPN using DUO append mode locking users out

When a failure occurs like this, we have to find replacements. That’s the job of our IT department so back to your IT lead and let them find a new system.

PS. Actually I have to give this one to Kees. Old Android phones can be problematic in this area. Yes, you may have folk that demand that old phones work too.

Old iphones

In reply to Not this supplier but others.

In this case our 2 users have old iphones, and those phones work fine. They are just now unsupported by the DUO app. We implemented DUO a few months ago, so we don’t plan on changing. Them being acquired by Cisco I cannot say is the best thing with their support now. I am just reaching out to see if there is something in RRAS that we can modify to not pass along those appended credentials to the users local session when logging onto the VPN.

The thing with phones.

In reply to Old iphones

Is that they are all over the map.

So you have phones that don’t work but no mention of the make, model and version OS on those phones. I can’t look into why these would fail or if there are phone OS updates.

iPhones tend to force the updates and that’s probably why they work.

-> This reminds me of a story about some of my old apps not working on Windows 95/98. I only supported such on XP and newer but the company asked how much to get it working on W95/98. I knew it was possible so put together a bid of about 25 thousand. PCs were cheaper than that so they never progressed on the W95/98 version.

iphone 6s

In reply to The thing with phones.

The issue with the 6S is that it can only go up to iOS12.5.5, and that version is now unsupported by DUO, and we cannot install their app on the phone. The issue is we believe somewhere in the config file on the server. Today it seems like I finally have a direct contact within DUO and hopefully they can point us in the right direction. I can’t imagine a company that size and we are the only client using append mode in authentication to connect to VPN.

I agree with DUO and dropping support for the 6S. Why?

In reply to iphone 6s

This phone rolled out in 2015 so there are not many left and Apple isn’t updating it as well.

As a developer I would pass since to test it I’d have to find 6S phones for the dev and test team and after all that we would be adding support for so few owners.

A cheap solution

In reply to Accessing VPN using DUO append mode locking users out

As long it’s a “few” users give them the cheapest phone that works, just the device. No need for a subscription or a SIM-card, if WiFi is enough. If they need a SIM-card, use prepaid which is free as long as you don’t use the phone to make calls.
Should work for years.

The way we are leaning

In reply to A cheap solution

Thanks. This is actually something we already talked about internally as we currently only have 2 users that this would affect. We discussed just buying a couple of cheap tablets that would in essence only be used for the DUO app.

Duo’s append mode

In reply to Accessing VPN using DUO append mode locking users out

Duo’s append mode locking users out can be a frustrating experience. If you’re having trouble accessing your VPN using Duo, there are a few things you can do to troubleshoot the issue.

First, make sure that you’re using the correct login credentials. If you’ve recently changed your password, make sure that you’re using the updated credentials.

If you’re still having trouble logging in, try resetting your Duo authentication. To do this, click on the “Reset” link under the “Authentication” tab in the Duo Admin Panel. This will reset your authentication and allow you to log in again.

If you’re still having trouble logging in, contact the IT Help Desk for assistance.

[Author]

Replies