Solved: Cisco VPN, Duo Two Factor and expired passwords

feathers1664 · ‎07-17-2018

We have been using Duo as our two factor authentication on Cisco VPN (web based and Anyconnect) successfully for a while.

However, I have noticed that when a user has an expiring password, although the Cisco VPN challenges the user to change their password, no Duo Two factor authentication is involved. How do I ensure that when prompted to change their password, the user must still complete the Duo Two factor ? otherwise what’s stopping other actors changing expired passwords?

DuoKristina · ‎07-18-2018

Hi @feathers1664!

If you have deployed Duo like this, where the primary authentication is LDAP and secondary authentication is Duo, all password related operations happen at LDAP, before any secondary authentication is involved. There is no way to require 2FA before password reset in this scenario.

While it is possible that a bad actor can change another user’s expired password, they still wouldn’t be able to log in to the VPN without also completing 2FA.

Duo, not DUO.

View solution in original post

DuoKristina · ‎07-18-2018

Hi @feathers1664!

If you have deployed Duo like this, where the primary authentication is LDAP and secondary authentication is Duo, all password related operations happen at LDAP, before any secondary authentication is involved. There is no way to require 2FA before password reset in this scenario.

While it is possible that a bad actor can change another user’s expired password, they still wouldn’t be able to log in to the VPN without also completing 2FA.

Duo, not DUO.