AuthProxy - Primary Mode vs. Bypass on DUO Admin page

We’re trying to tighten up our ability to respond to an outage and had question:

What is the difference between:

  1. Setting Bypass in the Duo Admin page, and
  2. Running the primary only mode on the Proxy server.

I’m thinking #1still requires communication between a DUO user and the DUO cloud service, but wondered whether #2 might not require the user contacting the cloud service.

Reason I’m asking here, is I suspect a recent problem may have been related to internet connectivity, as one of the symptoms users experienced was they received their DUO phone requests late, or were able to respond to a DUO request, but never completed because the application (our VPN login) timed out because of the slow round-trip.

— L

You are correct in #1. The proxy would need to contact Duo to determine the status of the user. If the user has Bypass status then Duo’s service sends a response to the proxy indicating 2FA is not required.

The Authentication Proxy primary only mode only verifies a user’s login username and password against your local LDAP or RADIUS server, and then allows access. It does not contact Duo’s service. Primary only mode is intended for temporary use when the proxy server is known not to have connectivity to Duo’s service, like during a network outage, so that it does not spend time attempting to contact Duo’s service and waiting for that attempt to time out on every authentication. You have to explicitly start the proxy in primary only mode, it isn’t something that turns on without your intervention. Since secondary authentication is skipped, no 2fa requests would ever get sent to users (so no, when the proxy runs in primary only mode the user does not need to contact the cloud service to approve anything).

If you haven’t already found it, the Guide to Business Continuity might prove a useful reference for planning your outage response.

Thanks DuoKristina, for your very helpful reply. We have indeed been looking at the Guide to Business Continuity… trying to work out all the scenarios as we continue to implement DUO across our infrastructure. First out of the gate is our VPN access which has been largely completed. We’re now hoping to implement o365 and Salesforce.