Re: DUO MFA

waquilio · ‎12-18-2024

We have implemented DUO MFA for a year or two.

It works well except we have one issue.

When a user is remote and their account expires it does not allow them to log in.

We used to use RSA token but we authenticated first and then logged in with Windows account info.

With DUO we authenticate the MFA after the log in.

Users will get access denied and we will have to reset them and not force a password change until they are back on prem.

What would we need to implement in order to allow users to change their expired password remotely?

Thanks,
Will

DuoKristina · ‎12-19-2024

It's impossible to answer your question unless you specify how you have deployed Duo. Are you using it with some VPN and RADIUS/LDAP, are you talking about an SSO integration, have you installed Duo for Windows Logon, or ... ?

Duo, not DUO.

waquilio · ‎12-19-2024

Right now we are 99% virtual.

We use Igel software on all laptops and on prem PCs.

We have DUO authentication for Windows Log on installed on all servers for our Domain Admins to RDP.

All standard users have no MFA when on prem but are part of a Duo Remote Access security group in AD that allows MFA authentication when remoting in through the UAG gateways.

Will

DuoKristina · ‎12-19-2024

Where are they trying to change the password? At a Windows system that has Duo for Windows Logon installed, or when they are remoting in via UAG? If you have UAG configured to also use Duo authentication, how did you set that up?

Duo, not DUO.

waquilio · ‎12-23-2024

Hi,

Users are changing their password from the log on box remotely.

We have flashed the Windows PCs with iGel software so they act as dummy terminals just for logging in.

There is no MFA when on prem.

Duo for Windows logon is only installed on servers so we can fulfill audit findings that our Domain Admins use MFA.

I would have to inquire more with our MSP since we did not set it up internally.

Thanks,
Will