Showing results for 
Search instead for 
Did you mean: 

Duo Auth proxy and ASA VPN locking user on Domain

Damir Dukaric
Level 1
Level 1

Hello everybody,

We have situation where there is user lockout policy on domain , after three bad password attempts. We have problem that users lock themselves after one missed duo push.

ASA SSL vpn is configured to have 60 second timeout with 10 second retry interval (as per documentation on DUO)

What we are seeing in Duo Auth proxy logs is "packet has invalid authenticator". Do you maybe have any ideas why users are locking themselves after first missed push auth?




2 Replies 2

Cisco Employee
Cisco Employee

Hmm, are you trying to use EAP in a Duo config that doesn't support it? What if you switch to MS-CHAPv2 with no EAP (or even just PAP as a test), does it work?

Duo, not DUO.

What's your login attempt limit before a user is locked out? 

Is the proxy binding to AD as the user or as the machine?


Set it up to bind as the machine.. otherwise an incorrect pw is going to count for more than one login attempt so they get locked.out faster.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links