Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
1
Replies

Cerberus FTP & DUO Universal Prompt Issues

colombo01
Level 1
Level 1

‎12-23-2025 07:12 AM

I am using Cerberus FTP and after they integrated DUO for 2FA via Web SDK I had successfully followed the instructions on their site to enable DUO.  When the universal prompt was available I enabled that and all was working fine.  Then somewhere between July and September 2025 the integration broke and the new universal prompt no longer worked.  I would get the DUO push on my phone, accept it and then would get a Login expired error message (see snippet below). 

colombo01_0-1766501909425.png

I changed back to the traditional prompt and DUO again worked as expected.

I used Copilot to help with troubleshooting this and it led me down a road to say that "Duo now enforces stricter OIDC semantics".  A summary of my Copilot troubleshooting is below.

Observed Behavior:

  • Duo health check passes (Duo healthcheck: OK).
  • Push authentication succeeds (HAR shows /auth/factors/push/status returns success).
  • Duo attempts finalization (/auth/finalize_auth) → 200 OK.
  • Browser navigates to Duo’s external/exit endpoint:
  • GET https://api-6d756393.duosecurity.com/frame/v4/oidc/external/exit?code=...&state=...
  • Duo responds with:
  • {"stat":"FAIL","message_enum":57,"is_preauth_outcome":false}
  • Cerberus never logs MFA completion; user sees Login expired.

HAR Evidence:

No callback to Cerberus occurs after MFA success.

I've reached out to Cerberus support and they were initially able to replicate the issue.  They however mentioned that by using a "paid" version of DUO the implementation works.  Is there any difference between a free and a paid DUO account that would cause what I'm seeing?  Did something truly change in DUO's implementation this past summer?  If so, did is it something Cerberus would need to adjust?

Any input or feedback is appreciated.

Thanks

 

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎01-07-2026 01:06 PM - edited ‎01-07-2026 01:10 PM

> Is there any difference between a free and a paid Duo account that would cause what I'm seeing?

Duo Free accounts have access to the Duo Web SDK application type just like paid Duo accounts do. There may be additional features that Free accounts do not have that get applied during authentication (like most policy settings, device trust, etc.), but not having those additional features should not affect basic authentication and authorization.

>Did something truly change in Duo's implementation this past summer?

Well, we update our cloud service every two weeks, so there were many changes. Without knowing the details of how Cerberus implemented their Duo Web integration I can't really pinpoint what specific change may have caused this issue.

If you have a case open with Cerberus about this you may suggest that they reach out to our technical partnerships team via email to duotechpartners@cisco.com for assistance troubleshooting their developed integration. It doesn't make sense for you to act as a go-between here, and there is likely nothing you could do on your end to fix this (except, I guess, give us money <g>).

Duo, not DUO.
0 Helpful
Quick Links
     
             Action Required: Duo CA Bundle Update      Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents