cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3914
Views
1
Helpful
2
Replies

Is there a way to restrict certain Duo users to specific ip address ranges?

Wayne3
Level 1
Level 1

Is there a way to restrict certain Duo users to specific ip address ranges?

If the IP address for the browser doesn’t match, then deny the login. (Not bypass Duo auth if the IP address range matches…which is a current feature).

1 Accepted Solution

Accepted Solutions

jamieis
Cisco Employee
Cisco Employee

Hey @Wayne,

My name is Jamie and I’m with Duo.

Currently, there is not a way to blacklist IP addresses within the Duo policies.

The current feature we offer called Authorized Networks allows you to not enforce 2FA based on certain IP addresses. You can also configure it to force them to complete 2FA even if another policy would let them bypass.

Another policy we offer is User Location which lets you set users to bypass, force 2FA, or deny based on the country they are currently in.

I’d recommend reaching out to your Account Executive and have them file a feature request for blacklisting IP ranges.

Thanks for being a Duo customer!

View solution in original post

2 Replies 2

jamieis
Cisco Employee
Cisco Employee

Hey @Wayne,

My name is Jamie and I’m with Duo.

Currently, there is not a way to blacklist IP addresses within the Duo policies.

The current feature we offer called Authorized Networks allows you to not enforce 2FA based on certain IP addresses. You can also configure it to force them to complete 2FA even if another policy would let them bypass.

Another policy we offer is User Location which lets you set users to bypass, force 2FA, or deny based on the country they are currently in.

I’d recommend reaching out to your Account Executive and have them file a feature request for blacklisting IP ranges.

Thanks for being a Duo customer!

jamieis
Cisco Employee
Cisco Employee

Hey @Wayne,

Another option that might work for you is a 3rd setting available under the Authorized Networks policy called "Deny access from all other networks ".

You could specifically bypass 2FA / enforce 2FA from specific networks and then block 2FA from all other networks that are not listed.

Quick Links