Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
0
Helpful
3
Replies

Account and Subnet Bypass Policy

Go to solution
rarmstrong
Level 1
Level 1

‎08-19-2020 10:04 AM

We have OWA protected by Duo. AD users are placed inside a “Duo Security Users” group and that group is synchronized into Duo Admin. That group provides access to the OWA Application. We have a Local Subnet Bypass policy configured that bypasses 2FA if OWA is accessed from a device inside the local network. This all works great. My question is this. I removed the Domain “Administrator” account from the “Duo Security Users” Group and that account is no longer synced into Duo Admin. After I did that, the Administrator was no longer able to login to OWA EVEN though subnet bypass is enabled. Does a user account have to exist despite having a subnet bypass set? I was under the impression that since a subnet bypass policy was set, that ANY user, despite NOT having an account synced into Duo could access the application because 2FA is ignored for that subnet. Perhaps I’m not correct and ANY user needing access to OWA must have an account in Duo and that a Duo license will be consumed by that account despite having subnet bypass policy applied. If I add the Administrator account back into the group and synch it, then that user can login to OWA.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎08-19-2020 01:26 PM

How long ago did you remove the Administrator account from the synced group? Duo puts a user removed from a sync group into a pending deletion state and prevents login as that user for seven days before permanently deleting the user. If that Administrator user is still sitting in Duo pending deletion, it is correct that you can’t log on as that user even when the subnet would otherwise permit bypass.

You can visit the “Trash” user view to delete that user account from Duo before the seven days are up. Learn more about deleting synced users here.

Duo, not DUO.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎08-19-2020 01:26 PM

How long ago did you remove the Administrator account from the synced group? Duo puts a user removed from a sync group into a pending deletion state and prevents login as that user for seven days before permanently deleting the user. If that Administrator user is still sitting in Duo pending deletion, it is correct that you can’t log on as that user even when the subnet would otherwise permit bypass.

You can visit the “Trash” user view to delete that user account from Duo before the seven days are up. Learn more about deleting synced users here.

Duo, not DUO.
0 Helpful

Go to solution
rarmstrong
Level 1
Level 1

‎08-20-2020 07:00 AM

Kristina

Thank you! This is exactly what was happening. I didn’t notice that the account dropped into trash and had to be permanently deleted before it would allow the login.

Regards,
Rob

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to rarmstrong

‎08-21-2020 06:44 AM

Glad to hear that solved your issue.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents