Locked out User bypassing 2FA

New Duo users here …

I have a user that got locked out for ignoring a Duo 2FA prompt. This user once locked out is just bypassing the Duo 2FA requirement.

The group that the user is in requires 2FA.

The application is set to enforce 2fa.

Duo shows denied when this user tries to log in, but as I stated they just bypass Duo and get let right in.

Is this normal behavior? How can I find out why they are just bypassing Duo?

It’s hard to say what might be happening without knowing what Duo application you deployed.

I am using Duo for Sophos UTM.

Do you mean you have added the Duo Authentication Proxy as a RADIUS server to Sophos UTM as described in Duo Two-Factor Authentication for Sophos UTM | Duo Security?

If so, first enable debug logging for the Duo Authentication Proxy, repeat the locked-out user test, and check the Duo Authentication Proxy log to verify that when the locked out user tries to log in that the Duo proxy records that the response from Duo is deny and that the Duo Authentication Proxy then returns Access-Reject to the Sophos device.

If that is happening, then you should re-examine your configuration on the UTM device to make sure that no other authentication servers have been defined so that id the Duo server returns deny that the UTM is then failing over to something else that might allow that user. You likely will need to review authentication logs on the UTM for the login attempt to get an idea of what’s happening.

If you need help with reviewing the Duo Authentication Proxy logs and config or it’s not returning a reject to the UTM when it should you can contact Duo Support, but if the Duo proxy correctly returns the reject and you have questions about verifying or correcting the authentication logic on the UTM you are best served by Sophos support.