Duo Release Notes for December 6, 2019

Hello everyone! Here are the release notes for the most recent updates we’ve made to Duo.

You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.

Please note that, due to the upcoming holidays, this will be the final regularly-scheduled update to Duo’s services in 2019. We will resume our every-two-weeks schedule in 2020.

New features, enhancements, and other improvements

Group Access Policy has been renamed Authentication Policy

  • The Group Access Policy has been renamed Authentication Policy. It will now appear as Authentication Policy in the Policy Editor and throughout the Duo Admin Panel.
  • The names of two of the configuration options for the Group Access Policy have also been changed, along with their descriptions.
  • This rewording does not affect how the policy functions. The new wording is simply intended to more accurately represent the policy and its options. The changes are as follows:
    • “No action” is now “Enforce 2FA”
      • Description is now “Require two-factor authentication or enrollment when applicable, unless there is a superseding policy configured.”
    • “Allow access without 2FA” is now “Bypass 2FA”
      • Description is now “Skip two-factor authentication and enrollment, unless there is a superseding policy configured.”
    • The “Deny access” option and its description are the same as before.

Azure Active Directory sync improvements

  • Custom attributes now support using Azure properties that are arrays of values, such as “otherMails.”
    • This was already supported only for phone attributes, where all the values of the array would be synced.
    • This is now supported for other attributes, but only the first value of the array will be synced.
    • For example, configuring the mail attribute to be “otherMails” will result in the first value of that property being used (and any others ignored).

Additional Admin Panel and Policy improvements

  • The help text for the “Allow access without 2FA” option under the New User Policy rule has been changed.
    • Previously, it was “Allow unenrolled users to pass through without two-factor authentication.” Now, it is “Allow users unknown to Duo to pass through without two-factor authentication. Users who exist in Duo and have not enrolled will be required to enroll.”
  • A link to the Policy documentation has been added to the Policy Editor modal.
  • The password fields on the “Add Administrator” and individual Administrator pages in the Admin Panel are no longer auto-filled by LastPass.

New and updated applications

Duo Authentication Proxy 3.2.0 and 3.2.1 released

3.2.1 details:

  • Fixed a bug preventing the initialization script from being created on Linux systems during proxy upgrade.

3.2.0 details:

  • Fixed a bug causing failmode and prompt_format configuration values to be case-sensitive.
  • The primarygroup is now checked when determining whether an AD/LDAP (ad_client) user is a member of the configured security_group_dn group.
  • Added support for LDAPCompareRequest LDAP message when the proxy is acting as an LDAP server.
  • Support additional username formats for exempt_ou matching when the proxy is acting as an LDAP server.
  • When using the “Integrated” (SSPI) authentication type for Active Directory sync, service account credentials are ignored if provided in the [cloud] configuration.
  • Events in the SIEM-consumable authevents.log now contain the authentication proxy hostname and the IKEY (Integration key) of the protected application.
  • Fixed case where logging incorrectly indicated failmode was invoked when an invalid SKEY (Secret key) was used.
  • The Windows installer now reports if there was an error installing the “Duo Authentication Proxy” service.
  • Proxy startup is prevented if an ldap_server_auto section has no associated ad_client section.
  • Bug fixes and enhancements to the connectivity tool.

Bug fixes

  • Duo Admin Panel bug fixes:
    • Active Directory sync
      • Resolved an issue during single-user sync that could incorrectly set a “Pending deletion” status if the username existed independently in Duo and in the directory and the user was not in a group that was part of the directory sync.
    • Azure Active Directory sync
      • Fixed a bug where users being synced who were previously synced to a different directory were not being removed from the previous directory’s synced groups.
    • User edit page
      • Renamed “Real Name” to “Full Name”, so that there is consistency for this field throughout the Admin Panel. This change was not made in the Admin API, so as not to break any Duo customers’ configurations.
      • Fixed an issue where Help Desk admins were seeing “Restore” and “Permanently Delete” buttons when viewing user pages for users in the trash.
    • Login page
      • Fixed an issue where error messages with special characters shown had incorrect HTML encoding on the Admin Panel login page and were showing nonsensical characters.
  • Device Health Application bug fixes:
    • Previously, the Cisco ASA SSL VPN, Juniper/Pulse Connect Secure SSL VPN (using LDAPS), and Microsoft Azure Active Directory applications successfully perform health checks, provided the Duo Device Health Application is installed. However, if a user must download the application, existing methods to restart the Duo authentication will result in failures, regardless of whether it occurs automatically or manually by clicking the “Try again” link. The entire authentication must be restarted in this case by refreshing the browser, or otherwise restarting the authentication process.
      • Now, when the user needs to download and install the Duo Device Health Application, Duo will not try to restart the authentication. The user will be instructed to refresh their browser, similar to how out-of-date software blocking is handled.
    • Duo Device Health application support for Citrix Gateway
      • The Duo Device Health application now supports device health checks with a user authenticates to the Citrix Gateway.
      • Previously, the Duo Prompt would present the error message “Invalid transaction. Try logging in again.” after timing out.
1 Like