Question

  • Creator
    Topic
  • #3937719

    Accessing VPN using DUO append mode locking users out

    by jessehall5489 ·

    We are using RRAS and DUO for out 2FA. Some users have older phones, so we have some hardware tokens for them. We are trying to use those tokens using append mode with their password. They are able to successfully connect, but within a minute their accounts are locked out. I have disabled credential manager from storing any values. Its like windows is trying to reconnect to drives with the new credentials.

    Using append mode example:
    Username: jdoe
    Password: Secure
    Hardware token: 123456789

    So when logging in the user enters in their username, and for the password they enter Secure,123456789

    DUO has been of no support. We are thinking it might be something in our configuration file, or maybe there is something else on the server on our side that we need to modify. Has anyone else run into this, or have a solution?

You are posting a reply to: Accessing VPN using DUO append mode locking users out

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Answers

  • Author
    Replies
    • #3940328

      Not this supplier but others.

      by rproffitt ·

      In reply to Accessing VPN using DUO append mode locking users out

      When a failure occurs like this, we have to find replacements. That’s the job of our IT department so back to your IT lead and let them find a new system.

      PS. Actually I have to give this one to Kees. Old Android phones can be problematic in this area. Yes, you may have folk that demand that old phones work too.

      • #3940320

        Old iphones

        by jessehall5489 ·

        In reply to Not this supplier but others.

        In this case our 2 users have old iphones, and those phones work fine. They are just now unsupported by the DUO app. We implemented DUO a few months ago, so we don’t plan on changing. Them being acquired by Cisco I cannot say is the best thing with their support now. I am just reaching out to see if there is something in RRAS that we can modify to not pass along those appended credentials to the users local session when logging onto the VPN.

        • #3940319

          The thing with phones.

          by rproffitt ·

          In reply to Old iphones

          Is that they are all over the map.

          So you have phones that don’t work but no mention of the make, model and version OS on those phones. I can’t look into why these would fail or if there are phone OS updates.

          iPhones tend to force the updates and that’s probably why they work.

          -> This reminds me of a story about some of my old apps not working on Windows 95/98. I only supported such on XP and newer but the company asked how much to get it working on W95/98. I knew it was possible so put together a bid of about 25 thousand. PCs were cheaper than that so they never progressed on the W95/98 version.

        • #3940317

          iphone 6s

          by jessehall5489 ·

          In reply to The thing with phones.

          The issue with the 6S is that it can only go up to iOS12.5.5, and that version is now unsupported by DUO, and we cannot install their app on the phone. The issue is we believe somewhere in the config file on the server. Today it seems like I finally have a direct contact within DUO and hopefully they can point us in the right direction. I can’t imagine a company that size and we are the only client using append mode in authentication to connect to VPN.

        • #3940316

          I agree with DUO and dropping support for the 6S. Why?

          by rproffitt ·

          In reply to iphone 6s

          This phone rolled out in 2015 so there are not many left and Apple isn’t updating it as well.

          As a developer I would pass since to test it I’d have to find 6S phones for the dev and test team and after all that we would be adding support for so few owners.

    • #3940327

      A cheap solution

      by kees_b ·

      In reply to Accessing VPN using DUO append mode locking users out

      As long it’s a “few” users give them the cheapest phone that works, just the device. No need for a subscription or a SIM-card, if WiFi is enough. If they need a SIM-card, use prepaid which is free as long as you don’t use the phone to make calls.
      Should work for years.

      • #3940321

        The way we are leaning

        by jessehall5489 ·

        In reply to A cheap solution

        Thanks. This is actually something we already talked about internally as we currently only have 2 users that this would affect. We discussed just buying a couple of cheap tablets that would in essence only be used for the DUO app.

    • #3939055

      Duo’s append mode

      by avandor ·

      In reply to Accessing VPN using DUO append mode locking users out

      Duo’s append mode locking users out can be a frustrating experience. If you’re having trouble accessing your VPN using Duo, there are a few things you can do to troubleshoot the issue.

      First, make sure that you’re using the correct login credentials. If you’ve recently changed your password, make sure that you’re using the updated credentials.

      If you’re still having trouble logging in, try resetting your Duo authentication. To do this, click on the “Reset” link under the “Authentication” tab in the Duo Admin Panel. This will reset your authentication and allow you to log in again.

      If you’re still having trouble logging in, contact the IT Help Desk for assistance.

Viewing 2 reply threads