Cisco VPN, Duo Two Factor and expired passwords


#1

We have been using Duo as our two factor authentication on Cisco VPN (web based and Anyconnect) successfully for a while.

However, I have noticed that when a user has an expiring password, although the Cisco VPN challenges the user to change their password, no Duo Two factor authentication is involved. How do I ensure that when prompted to change their password, the user must still complete the Duo Two factor ? otherwise what’s stopping other actors changing expired passwords?


#2

Hi @feathers1664!

If you have deployed Duo like this, where the primary authentication is LDAP and secondary authentication is Duo, all password related operations happen at LDAP, before any secondary authentication is involved. There is no way to require 2FA before password reset in this scenario.

While it is possible that a bad actor can change another user’s expired password, they still wouldn’t be able to log in to the VPN without also completing 2FA.