Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1752
Views
0
Helpful
2
Replies

AuthProxy - Primary Mode vs. Bypass on DUO Admin page

lkeyes1
Level 1
Level 1

‎11-16-2020 12:29 PM

We’re trying to tighten up our ability to respond to an outage and had question:

What is the difference between:

  1. Setting Bypass in the Duo Admin page, and
  2. Running the primary only mode on the Proxy server.

I’m thinking #1still requires communication between a DUO user and the DUO cloud service, but wondered whether #2 might not require the user contacting the cloud service.

Reason I’m asking here, is I suspect a recent problem may have been related to internet connectivity, as one of the symptoms users experienced was they received their DUO phone requests late, or were able to respond to a DUO request, but never completed because the application (our VPN login) timed out because of the slow round-trip.

— L

0 Helpful
2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

‎11-18-2020 09:10 AM

You are correct in #1. The proxy would need to contact Duo to determine the status of the user. If the user has Bypass status then Duo’s service sends a response to the proxy indicating 2FA is not required.

The Authentication Proxy primary only mode only verifies a user’s login username and password against your local LDAP or RADIUS server, and then allows access. It does not contact Duo’s service. Primary only mode is intended for temporary use when the proxy server is known not to have connectivity to Duo’s service, like during a network outage, so that it does not spend time attempting to contact Duo’s service and waiting for that attempt to time out on every authentication. You have to explicitly start the proxy in primary only mode, it isn’t something that turns on without your intervention. Since secondary authentication is skipped, no 2fa requests would ever get sent to users (so no, when the proxy runs in primary only mode the user does not need to contact the cloud service to approve anything).

If you haven’t already found it, the Guide to Business Continuity might prove a useful reference for planning your outage response.

Duo, not DUO.
0 Helpful

lkeyes1
Level 1
Level 1
In response to DuoKristina

‎11-18-2020 09:44 AM

Thanks DuoKristina, for your very helpful reply. We have indeed been looking at the Guide to Business Continuity… trying to work out all the scenarios as we continue to implement DUO across our infrastructure. First out of the gate is our VPN access which has been largely completed. We’re now hoping to implement o365 and Salesforce.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents