cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1409
Views
0
Helpful
7
Replies

Cisco DUO problem with AD

Chatchawan
Level 1
Level 1

Dear All

  I would like your support, I used Cisco DUO , integrate with Local Microsoft active directory, we have schedule to sync information every 8 Hrs.  but we found issue , when our user change password from their computer , but after 8 hrs pass, they go to home and try to used VPN, Cisco duo away inform can not login, we try to manual sync.it still not working  , for work around we need to reset user's password on Active directory console then sync manual to cisco duo  

 

  where I can get log to check what is root cause of these problem, and how to fix it 

7 Replies 7

DuoKristina
Cisco Employee
Cisco Employee

I don't quite understand your problem. Duo's directory sync does not sync in any of your users' passwords. Today Duo does not store any of your users' passwords.

How is your VPN performing primary authentication?

Duo, not DUO.

Chatchawan
Level 1
Level 1

We used VPN that have  MFA, first Authenticator is  our local Microsoft Active directory ,  2nd Authenticator is Cisco Duo

my problem is , when user change password from these notebook in office, when they go back home and try to connect vpn with new password , it's can not login. on Duo console is show password is wrong. ( schedule sync is work, no error ) , for work around I reset their password from local AD console, and manual sync to cisco duo, user can login VPN, and duo is working 

Sorry, you're not providing enough information to assist you. What is your VPN? Did you add Duo to your VPN using LDAP, RADIUS, or SAML? What client do your users launch on their laptops to connect? 

Duo, not DUO.

Dear DuoKristina

   Our firewall is Paloalto, our VPN used RADIUS authenticate,  Radius Server setting  is point to local server that install cisco duo proxy server 

Thanks for this extra detail.

In the configuration you describe (users synced into Duo from AD; Palo Alto pointing to Duo Authentication Proxy as a RADIUS server) there is absolutely nothing Duo is doing to store or cache the AD passwords for your users. Duo also maintains no record of when a user last set their AD password; that information is never sent to Duo during authentication or directory sync.

I suggest you contact Duo Support for more help diagnosing the situation.

Duo, not DUO.

dwalker1
Level 1
Level 1

We started using duo sso and if we change a AD setting for a user, lets say the "Log In to.." setting to restrict what computer that user should RDP to once they establish a vpn connection, they are greeted with invalid credentials when trying to authenticate with sso.

Correct, if the LDAP bind for a user via your configured Duo SSO AD authentication server(s) fails (including due to workstation restriction) it will be reported as invalid creds.

Duo, not DUO.
Quick Links