Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1530
Views
1
Helpful
2
Replies

Fail Open/Close and Offline Mode

mauricej341
Level 1
Level 1

‎03-23-2022 10:38 AM

Hello,

First of all I’m sure this has come up frequently so apologies if I’m asking something that has been answered, and I just didn’t find it. I’m trying to wrap my head around the fail modes, and their relationship with offline mode.

My understanding with failopen and failclose, is they define behavior with the Duo cloud service is not available - Failopen not prompting for MFA, and failclose will deny login. And my understanding of Offline mode, is the ability to use a passcode when the Duo service isn’t available.

Using RDP as an example, only administrators in our org RDP to servers. We are good with denying RDP access to servers if Duo is not available, but, still want the ability to login to servers directly via console if there is a need, if Duo is not reachable. Is this possible? And does offline mode work if the Duo service is not available?

EDIT: A related question, we have a couple of accounts that are shared by multiple users. For these accounts, we’ve associated each users’s phone to those accounts. How does that work with Offline mode - would each user be able to setup offline acdcess using their phones to use these shared accounts, or, would only one phone/device be able to use it?

Thanks

0 Helpful
2 Replies 2

mauricej341
Level 1
Level 1

‎03-23-2022 12:16 PM

One piece that I forgot to mention is that we’re using the authentication proxy, and I see that is also has a configurable fail mode.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to mauricej341

‎03-24-2022 01:36 PM

Offline access is only available today for Duo Authentication for Windows Logon. Each user who wants to be able to use offline access needs to set it up.

  1. Perform an online Duo login
  2. Enroll in offline access
  3. User can log in when the system can’t reach Duo.

Offline access and fail open should be mutually exclusive. If the application is configured to fail open when it can’t reach Duo, it will never try to use offline access for anyone, and will let everyone in without 2FA.

Users can only register one offline authenticator so the shared account scenario you describe isn’t supported.

With fail close, when Duo can’t be reached then the users who set up offline access can use it to log in, and users who did not can’t log in.

There is no offline access for RADIUS and LDAP integrations that use the Authentication Proxy; your choices are to fail open or to fail closed.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents