topic Re: Cisco DUO problem with AD in Managing Users

Cisco DUO problem with AD

Chatchawan — Fri, 21 Jul 2023 11:07:27 GMT

Dear All

I would like your support, I used Cisco DUO , integrate with Local Microsoft active directory, we have schedule to sync information every 8 Hrs. but we found issue , when our user change password from their computer , but after 8 hrs pass, they go to home and try to used VPN, Cisco duo away inform can not login, we try to manual sync.it still not working , for work around we need to reset user's password on Active directory console then sync manual to cisco duo

where I can get log to check what is root cause of these problem, and how to fix it

Re: Cisco DUO problem with AD

DuoKristina — Fri, 21 Jul 2023 13:42:53 GMT

I don't quite understand your problem. Duo's directory sync does not sync in any of your users' passwords. Today Duo does not store any of your users' passwords.

How is your VPN performing primary authentication?

Re: Cisco DUO problem with AD

Chatchawan — Sat, 22 Jul 2023 14:14:02 GMT

We used VPN that have MFA, first Authenticator is our local Microsoft Active directory , 2nd Authenticator is Cisco Duo

my problem is , when user change password from these notebook in office, when they go back home and try to connect vpn with new password , it's can not login. on Duo console is show password is wrong. ( schedule sync is work, no error ) , for work around I reset their password from local AD console, and manual sync to cisco duo, user can login VPN, and duo is working

Re: Cisco DUO problem with AD

dwalker1 — Mon, 24 Jul 2023 12:48:10 GMT

We started using duo sso and if we change a AD setting for a user, lets say the "Log In to.." setting to restrict what computer that user should RDP to once they establish a vpn connection, they are greeted with invalid credentials when trying to authenticate with sso.

Re: Cisco DUO problem with AD

DuoKristina — Tue, 25 Jul 2023 14:01:48 GMT

Sorry, you're not providing enough information to assist you. What is your VPN? Did you add Duo to your VPN using LDAP, RADIUS, or SAML? What client do your users launch on their laptops to connect?

Re: Cisco DUO problem with AD

DuoKristina — Tue, 25 Jul 2023 14:04:12 GMT

Correct, if the LDAP bind for a user via your configured Duo SSO AD authentication server(s) fails (including due to workstation restriction) it will be reported as invalid creds.

Re: Cisco DUO problem with AD

Chatchawan — Thu, 27 Jul 2023 10:12:21 GMT

Dear DuoKristina

Our firewall is Paloalto, our VPN used RADIUS authenticate, Radius Server setting is point to local server that install cisco duo proxy server

Re: Cisco DUO problem with AD

DuoKristina — Thu, 27 Jul 2023 19:06:56 GMT

Thanks for this extra detail.

In the configuration you describe (users synced into Duo from AD; Palo Alto pointing to Duo Authentication Proxy as a RADIUS server) there is absolutely nothing Duo is doing to store or cache the AD passwords for your users. Duo also maintains no record of when a user last set their AD password; that information is never sent to Duo during authentication or directory sync.

I suggest you contact Duo Support for more help diagnosing the situation.