06-14-2023 09:25 AM
We have some contractors that work remotely and they currently use DUO Mobile - Push for a 2nd factor authentication. We are to require the contractors to change their password after X days have passed.
These contractors only work remotely and never come into the office. How can we allow these remote the ability to change their passwords with DUO?
06-14-2023 09:27 AM
I want to say that setting up a new security group for these users and to enable DUO Single Sign on while only allowing specific security groups to use Signle - Sign on may do the trick.
What doe you guys think?
06-14-2023 11:20 AM
There are a few different options that would allow a password reset. Would not not want other users besides these contractors to be able to change their passwords remotely?
One is, as you found, to set up Duo SSO with Active Directory and proactive password change, and then restrict access to Duo Central to just permitted groups.
Another option could be available through a VPN configuration. If the VPN allows chained primary and secondary authentication then you could point primary auth to AD and just secondary auth to Duo via RADIUS. When a user’s password expires they could reset it through the VPN directly against AD. An example of that config is here: Duo RADIUS Two-Factor Authentication with Password Reset for Cisco ASA SSL VPNs | Duo Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide