Configuring for VPN connection only

Hello.

We have a laptop configured for login with duo. User would like to use Duo ONLY when connected to VPN, vs logging into the laptop/domain only. Windows 10. Any thoughts?

-Dennis

Hi Dennis, there are likely several ways to accomplish this, but could you give us a bit more background information on where and when you’d like Duo to be invoked for authentication here and what, if any, Duo applications (www.duo.com/docs for reference) are currently in place?

For the VPN aspect, are they looking to complete connection prior to user login on the machine or following local login?

Good Morning. Sorry for the delay getting back, been down with an injury.

The user logs into their Windows desktop and is then prompted for Duo 2FA.

Sorry to hear that! Wishing you a speedy recovery.

It is possible to configure Duo WinLogon to "Only prompt for Duo authentication when logging in via RDP, during installer as described in the documentation at Duo Authentication for Windows Logon and RDP | Duo Security or post-installation as described at https://help.duo.com/s/article/1084, but I’m curious about where the VPN comes into play in the workflow here. Is the user already connected to the VPN before login to the local machine?

Depending on your workflow, you may be able to leverage our Authorized Networks policy to not require Duo authentication depending on the predictability of the IP address the user will be authenticating from: https://duo.com/docs/policy#authorized-networks. However please note that Authorized Networks policies for bypassing 2FA or denying application access based on a Windows system’s IP aren’t applied to console logins. Additionally, Duo cannot provide any geolocation information for that access client in the authentication logs.

You can learn more about this limitation in the Duo KB article “Why does Duo Authentication for Windows Logon report the client IP address as 0.0.0.0 for local console logins?”

Good Morning. Thank you. Making progress.

The user is not connecting to VPN until after being signed into the Windows desktop, and after DUO.

Understood! In that case, it sounds like you may want to consider just protecting the VPN via a Duo application and use our policy framework to not require Windows Logon MFA for them.

You can view all of the VPNs with documented Duo integrations at https://duo.com/docs, but many non-documented VPNs can also be protected via our generic RADIUS or LDAP integrations.