Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2785
Views
1
Helpful
5
Replies

Duo Users 2FA for AD Security Group Only, ignore 2FA for users outside of this group

Timbobaggins
Level 1
Level 1

‎08-21-2018 03:49 AM

Hi all,

I was wondering if I could have some feedback/suggestions here,

I am in the process of deploying Duo to a client of ours for terminal server access.

To this end I have enabled AD sync between the DC on premise and Duo’s portal.

I have two AD security groups, one for requires 2FA which will have 21 users in it, and the rest of the users are in the Bypass 2FA group (approx 80 users).

I have tested, and this is working fine with the Bypass 2FA settings against the Bypass 2FA Security group, and requires 2FA against the Requires 2FA group.

My only problem with this is that the client will be billed for approx 100 user licenses when we only want to subject 21 users to 2FA, I understand that the licensing is done per user whether they are enrolled or not or subject to 2FA.

The ideal scenario is just to have the 21 users in the portal requiring 2FA, with Duo ignoring all users users and allowing them to login/auth without 2FA prompt.

Any ideas how I can achieve this or does Duo need to have all the other bypass 2FA users synced to its portal too?

Thanks
Tim

Labels:
0 Helpful
5 Replies 5

mkorovesisduo
Level 4
Level 4

‎08-21-2018 07:15 AM

Hi, one possible solution would be to configure AD sync to only synchronize the group with the 21 “require 2FA” users in it and then set your application or global new user policies to bypass 2FA for unenrolled users. While this would reduce your licensing, please note it is also less secure than requiring 2FA for all users.

Timbobaggins
Level 1
Level 1
In response to mkorovesisduo

‎08-21-2018 08:02 AM

Hi,

Thanks for the suggestion, I had attempted this previously as I thought that was a good way of achieving this, when I set it up how you described any unenrolled users that I didn’t want 2FA setting up against where getting a message saying ‘you are not authorized to use this application’ type message oddly, even though I had set the policy to skip 2FA for unenrolled users?

Thanks
Tim

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Timbobaggins

‎08-29-2018 01:58 PM

  1. Make sure to completely delete the users that won’t be using Duo from Duo. Delete that group of 80 from the directory sync config, run the sync to put those user into the trash, and then go into the Trash and permanently delete those users.

  2. Also make sure you did not specify a group in the “Permitted Groups” option on your application in Duo. It seems like this wouldn’t even be necessary, if every Duo user that remains will be accessing the application.

Duo, not DUO.
0 Helpful

mkorovesisduo
Level 4
Level 4

‎08-22-2018 07:37 AM

Hm, that’s not how it should work. I’d recommend double-checking your application or global policies to ensure that they’re set up properly. Our Policy Guide may also help.

If you’re unable to resolve the issue on your own, please contact Duo Support.

0 Helpful

Timbobaggins
Level 1
Level 1

‎09-04-2018 01:20 AM

Hi,

I’ve been able to get this working thanks to your suggestions, thank you so much for the help with this.

Kind regards,
Tim

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents