Solved: DUO Allows new admin users in before enrolled with the DUO app.

markc7 · ‎12-06-2024

Hello everybody,

We use DUO to force admin users use MFA to get on particular servers. Today I created a new admin account and got the person to sign in on a server that (I thought) was supposed to enforce users to use DUO. The users was able to get in the server - I then set the user up in DUO and sent the enroll link. The user then was able to get in and it forced him to use DUO once he enrolled.

That took me by surprise as I thought everybody was going to be black listed until they enrolled. Does anybody know if this is by design, a bug, or maybe I have something configured wrong somewhere?

Thanks for any help!

DuoKristina · ‎12-10-2024

@markc7

You don't mention what Duo application you installed but I assume your are using Duo Authentication for Windows Logon ("Microsoft RDP" in the Duo Admin Panel) because you mention signing in on a server and there are lots of Windows servers out there.

If you look at the policy settings effective for the "Microsoft RDP" application installed on your server, what is the "New user policy" setting? If it's set to require enrollment (the default) or deny access, then a new Windows user should not be able to sign into a system with Duo for Windows Logon without being enrolled in Duo with a 2FA device. If it's set to allow access to unenrolled users, then someone can sign in without being stopped for MFA.

If your new user policy settings are set to require enrollment or deny access, might you also have an authorized networks policy defined? When you define network IPs or IP ranges in that policy config to allow access without MFA, there is an option to require enrollment from those networks. If that enrollment option isn't checked, that could also let a new user in at the server without MFA.

Duo, not DUO.

View solution in original post

zoferholy · ‎12-06-2024

@markc7 paybyplate wrote:
Hello everybody,
We use DUO to force admin users use MFA to get on particular servers. Today I created a new admin account and got the person to sign in on a server that (I thought) was supposed to enforce users to use DUO. The users was able to get in the server - I then set the user up in DUO and sent the enroll link. The user then was able to get in and it forced him to use DUO once he enrolled.
That took me by surprise as I thought everybody was going to be black listed until they enrolled. Does anybody know if this is by design, a bug, or maybe I have something configured wrong somewhere?
Thanks for any help!

I’ve encountered something similar before! From what I understand, DUO’s default behavior doesn’t necessarily block access right away until the user completes enrollment. It seems like the user can still access the server temporarily before the MFA enforcement kicks in, which might be why they were able to sign in initially.

ammahend · ‎12-06-2024

Duo allows unenrolled users to access applications in a few ways, typically using grace periods, conditional access rules, or temporary bypass mechanisms to allow first-time access while encouraging or requiring eventual enrollment for MFA. Administrators can configure these policies to ensure a smooth transition to MFA while still permitting access where necessary.

Cisco Duo can also be configured to deny access to applications for unenrolled users by enforcing mandatory MFA enrollment.

-hope this helps-

DuoKristina · ‎12-10-2024

@markc7

You don't mention what Duo application you installed but I assume your are using Duo Authentication for Windows Logon ("Microsoft RDP" in the Duo Admin Panel) because you mention signing in on a server and there are lots of Windows servers out there.

If you look at the policy settings effective for the "Microsoft RDP" application installed on your server, what is the "New user policy" setting? If it's set to require enrollment (the default) or deny access, then a new Windows user should not be able to sign into a system with Duo for Windows Logon without being enrolled in Duo with a 2FA device. If it's set to allow access to unenrolled users, then someone can sign in without being stopped for MFA.

If your new user policy settings are set to require enrollment or deny access, might you also have an authorized networks policy defined? When you define network IPs or IP ranges in that policy config to allow access without MFA, there is an option to require enrollment from those networks. If that enrollment option isn't checked, that could also let a new user in at the server without MFA.

Duo, not DUO.

markc7 · ‎12-10-2024

Thanks for your help!