Ah yes, MS-CHAPv2 is the scenario where append options aren’t supported because the proxy can’t split the encapsulated password value to parse out the password portion of the attribute vs. the passcode or appended factor name. Did you happen to try RADIUS Challenge mode? Again, what VPN are you using? We have some internal notes about VPNs where MS-CHAPv2 and RADIUS Challenge are known to work or not work.
when they log into OWA, they get both a Duo Push on their cellphone as well as the YubiKey simultaneously flashing
The user would only receive an automatic Duo Push at this point if they explicitly selected “Automatically send this device a Duo Push” as their default login action during enrollment. If you have enabled the self-service portal on the OWA application then any users who enabled the automatic Duo Push can turn that off there. This can’t be enabled/disabled on behalf of a user by the Duo admin.
logging into the VPN still does not flash the YubiKey
The behavior you describe is the YubiKey being utilized as a WebAuthN/U2F Security Key. This will NEVER work with a VPN RADIUS auto/challenge configuration. This is only supported in browser-based authentication when the interactive Duo web prompt is shown. This authentication standard is only available in web browsers and platforms. You can learn more about the FIDO2 standards here. When customers utilize Yubikeys with RADIUS auto/challenge configurations is it in OTP mode, to provide a passcode. As already mentioned though, this won’t work for RADIUS Auto and MS-CHAPv2 due to the limitation on appending factors to the password.
If you have a specific feature request (whether that is native EAP-TLS support or something else that fits your environment) please be sure to share it with your Duo account exec or customer success manager (if you have one). Otherwise you can contact Duo Support to submit your feature request. Community forum posts aren’t actionable feature requests. You can read more about the purpose of the Duo Community in this post.