Has anyone had issues with using failmode=secure?

julian5 · ‎12-27-2019

Just wondering if people have run into issues using the failmode=secure option in their proxy config. Seems like if there is an issue contacting the Duo service, then there would be an inadvertent denial of service. What is the best practice?

Please advise. Thanks in advance.

Xander_Desai · ‎01-02-2020

Hey @julian
Can you tell me more about what you mean about inadvertent DoS?
When failmode=secure is set this means that if the Authentication Proxy cannot contact Duo for any reason we will choose to fail the authentication instead of let someone in without 2fa.
If you would rather have the end user be able to log in even if the Authentication Proxy can’t talk to Duo then I would recommend failmode=safe

We also have a primary only mode you can set during emergencies. I’m not sure if this solves your use case, but one of the potential use cases for this mode is to allow the usage of failmode=secure but then once an issue is determined either in your network or with Duo you can go and turn on primary only until the outage has passed.
Here’s the docs link for more info: Duo Authentication Proxy Reference | Duo Security

julian5 · ‎01-07-2020

Hi @Xander_Desai
What I was afraid might happen when the Duo service can’t be contacted for whatever reason, is that people can’t login to a protected resource. Thus inadvertently denying them access.

I had mistakenly thought that if the Duo proxy server itself was unavailable, then the failmode=safe would still allow people to login. But I do see now that if the Duo proxy service is not available for whatever reason, then people are not going to be able to login to a protected resource.

It was discovered that people were able to login to a protected resource even though they didn’t have a Duo account. Thus, they received no Duo push on their mobile app and were able to continue logging in.

I’ll check out that docs link. Thanks.