Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2171
Views
0
Helpful
5
Replies

Configuring for VPN connection only

djonestab
Level 1
Level 1

‎06-27-2019 11:51 AM

Hello.

We have a laptop configured for login with duo. User would like to use Duo ONLY when connected to VPN, vs logging into the laptop/domain only. Windows 10. Any thoughts?

-Dennis

Labels:
0 Helpful
5 Replies 5

Dooley
Level 3
Level 3

‎06-27-2019 12:22 PM

Hi Dennis, there are likely several ways to accomplish this, but could you give us a bit more background information on where and when you’d like Duo to be invoked for authentication here and what, if any, Duo applications (www.duo.com/docs for reference) are currently in place?

For the VPN aspect, are they looking to complete connection prior to user login on the machine or following local login?

0 Helpful

djonestab
Level 1
Level 1
In response to Dooley

‎07-02-2019 08:50 AM

Good Morning. Sorry for the delay getting back, been down with an injury.

The user logs into their Windows desktop and is then prompted for Duo 2FA.

0 Helpful

Dooley
Level 3
Level 3
In response to djonestab

‎07-02-2019 10:59 AM

Sorry to hear that! Wishing you a speedy recovery.

It is possible to configure Duo WinLogon to "Only prompt for Duo authentication when logging in via RDP, during installer as described in the documentation at Duo Authentication for Windows Logon and RDP | Duo Security or post-installation as described at https://help.duo.com/s/article/1084, but I’m curious about where the VPN comes into play in the workflow here. Is the user already connected to the VPN before login to the local machine?

Depending on your workflow, you may be able to leverage our Authorized Networks policy to not require Duo authentication depending on the predictability of the IP address the user will be authenticating from: https://duo.com/docs/policy#authorized-networks. However please note that Authorized Networks policies for bypassing 2FA or denying application access based on a Windows system’s IP aren’t applied to console logins. Additionally, Duo cannot provide any geolocation information for that access client in the authentication logs.

You can learn more about this limitation in the Duo KB article “Why does Duo Authentication for Windows Logon report the client IP address as 0.0.0.0 for local console logins?”

0 Helpful

djonestab
Level 1
Level 1

‎07-05-2019 07:26 AM

Good Morning. Thank you. Making progress.

The user is not connecting to VPN until after being signed into the Windows desktop, and after DUO.

0 Helpful

Dooley
Level 3
Level 3
In response to djonestab

‎07-05-2019 07:41 AM

Understood! In that case, it sounds like you may want to consider just protecting the VPN via a Duo application and use our policy framework to not require Windows Logon MFA for them.

You can view all of the VPNs with documented Duo integrations at https://duo.com/docs, but many non-documented VPNs can also be protected via our generic RADIUS or LDAP integrations.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents