Solved: Is there a way to restrict certain Duo users to specific ip address ranges?

Wayne3 · ‎04-12-2018

Is there a way to restrict certain Duo users to specific ip address ranges?

If the IP address for the browser doesn’t match, then deny the login. (Not bypass Duo auth if the IP address range matches…which is a current feature).

jamieis · ‎04-12-2018

Hey @Wayne,

My name is Jamie and I’m with Duo.

Currently, there is not a way to blacklist IP addresses within the Duo policies.

The current feature we offer called Authorized Networks allows you to not enforce 2FA based on certain IP addresses. You can also configure it to force them to complete 2FA even if another policy would let them bypass.

Another policy we offer is User Location which lets you set users to bypass, force 2FA, or deny based on the country they are currently in.

I’d recommend reaching out to your Account Executive and have them file a feature request for blacklisting IP ranges.

Thanks for being a Duo customer!

View solution in original post

jamieis · ‎04-12-2018

Hey @Wayne,

My name is Jamie and I’m with Duo.

Currently, there is not a way to blacklist IP addresses within the Duo policies.

The current feature we offer called Authorized Networks allows you to not enforce 2FA based on certain IP addresses. You can also configure it to force them to complete 2FA even if another policy would let them bypass.

Another policy we offer is User Location which lets you set users to bypass, force 2FA, or deny based on the country they are currently in.

I’d recommend reaching out to your Account Executive and have them file a feature request for blacklisting IP ranges.

Thanks for being a Duo customer!

jamieis · ‎04-13-2018

Hey @Wayne,

Another option that might work for you is a 3rd setting available under the Authorized Networks policy called "Deny access from all other networks ".

You could specifically bypass 2FA / enforce 2FA from specific networks and then block 2FA from all other networks that are not listed.