Passwordless lets you in even if AD creds are locked out

bjames · ‎12-11-2025

Hi

We are having some issues with a FTD VPN setup where we get certain errors after authenticating but in trying again it lets you in. I have a case open with Cisco but they are very slow to respond. We found that if the user locks out their account with too many wrong passwords, they can still get authenticated and get in to the VPN.

The next test will be to eliminate Passwordless (even though it's a Duo recommended setting in the policy) and testing it again.

Anyone else find this issue?

Philip D'Ath · ‎12-11-2025

How have you got the VPN authenticating against Duo? SAML against Duo? SAML against Entra using an EAM?

bjames · ‎12-11-2025

Hi Philip,

We are using SAML with Duo

Philip D'Ath · ‎12-11-2025

And this is using the AD auth proxy?

What does the AD auth proxy log say when the user is incorrectly given access? It should be located somewhere near:
C:\Program Files\Duo Security Authentication Proxy\log

bjames · ‎12-11-2025

The logs don't tell us much as we see the call to AD and the identifying samaccount name.

Philip D'Ath · ‎12-11-2025

Just thinking about this further. The Duo Auth Proxy does check whether the AD account is disabled/enabled.

However, it doesn't check if a password lockout has been triggered. I think this is working as expected.

bjames · ‎12-11-2025

Then the password failure should not let you in. We are going to disable Passwordless and test again to see what happens.

DuoKristina · ‎12-12-2025

Hi @bjames ,

It doesn't look like the support engineer you've been working with has asked you to reproduce the issue with debug logging and send over the support bundle output. This will be required for them to escalate to Engineering for next-level investigation, so you can get a jump on it by sending this information in proactively.

1. Enable debug logging: https://duo.com/docs/authproxy-reference#enable-debug-logging

2. Reproduce the issue.

3. Run the authproxy_support tool to create a support bundle: https://duo.com/docs/authproxy-reference#using-the-support-tool

4. Send the resultant .zip file to Duo Support to update your case.

Duo, not DUO.

bjames · ‎12-12-2025

Hi Kristina, nice to see you are still here.

We did run the support tool for support, but I will run it again if it's not attached to the case.

DuoKristina · ‎12-12-2025

If I leave I'll have to give up my name!

Duo, not DUO.

bjames · ‎12-19-2025

OK, we disabled the Passwordless Authentication for SSO and tested, it worked as expected so this was our issue. DO NOT enable Passwordless for SSO even though it's the recommended settings in the dashboard for a VPN connection. I've asked Cisco to still escalate this as this is a security issue and it should not be a recommended setting.