Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1871
Views
1
Helpful
3
Replies

Blacklisting phone numbers and IPs

thomasdang
Level 1
Level 1

‎07-03-2019 11:01 AM

Dear Duo,

Is there any way to PREVENT certain phone numbers and IPs from signing up for MFA (using the inline prompt or the self-service site) with an account?

In addition, is there anyway to LIMIT signing up for MFA to a certain IP range?

Thanks,

Thomas

Labels:
3 Replies 3

mkorovesisduo
Level 4
Level 4

‎07-08-2019 05:26 AM

Hey Thomas, it looks like an Authorized Networks policy would accomplish most of what you’re after. Check it out and let me know.

0 Helpful

thomasdang
Level 1
Level 1
In response to mkorovesisduo

‎07-08-2019 04:55 PM

Thanks for the suggestion,

The Authorized Network Policy allows for “force enrolment IP range” or for IP range where all MFA is blacklisted.

But we want to have the capability to just prevent the initial enrolment by IP range, and only allow the initial enrolment event from a specific range, but afterward the MFA (regular authentication events) should be open to the user from anywhere.

I can’t think of a way to achieve this with Duo.

Best,
Thomas

0 Helpful

colin_medfisch
Cisco Employee
Cisco Employee

‎07-09-2019 08:33 AM

Hey Thomas,

That is an excellent feature request to include in the Duo Policy Engine.

While it is not possible to achieve this in that manner at this time, we do have customers restricting enrollment to internal networks using a combination of the Policy Engine and our Device Management Portal.

The first thing that you will need to do is to stand up our Device Management Portal on a non-internet exposed web server.

Next, you will want to take a look at your Duo Policy. The most important policy option for this scenario is the New User Policy. What you will want is to create an Application Policy for your new Device Management Portal integration that has the New User Policy set to Require Enrollment.

After getting that setup, you will want to to change any other Application Policies as well as your Global Policy. If you are looking to restrict enrollment to the internal networks where users can access the Device Management Portal, all other New User Policies should be set to Deny acccess

Once you make this change, you will be all set to post the URL for the new portal anywhere you’d like internally.

Hope this helps!

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents