Macbook and FortiClient protection

When using FortiClient and Duo on a Macbook, I’m presented with some challenges.

For Duo, I have authproxy set to ‘challenge’ mode.

On my test Macbook, I get prompted as expected for Push, SMS, call (although all option items are listed twice). I type ‘push’ and it works as expected.

On end-users Macbooks, there is no listing in the prompt. It simply says enter code or type in option, but it doesn’t specifically list the options. This is not a problem per se, as if they type push, then it works as expected. If they enter code listed in Duo App, it does not work. My concern is more, why is it different from one Mac to another and how can I make sure it’s consistent for all users?

If I try the ‘auto’ mode in config file, nothing seems to work. Not a fan of ‘auto’ in the config file. Change my mind. T

The Duo text-based prompt sent as a RADIUS challenge has to fit within the character limits of a RADIUS packet. The contents of that challenge text may differ from user to user, depending on how many devices they enrolled, if they gave their enrolled devices their own free-text name, if they previously requested a batch of SMS passcodes, etc.

If Duo thinks that the response won’t fit in that character limit then it automatically changes the format from console (which includes the factor descriptions and newline formatting) to short (which is a much shorter text challenge that only lists the factor names).

The prompt_format options for RADIUS challenge are described in the Authentication Proxy Reference, including the info about falling back to short format and there’s a more detailed explanation of this in the KB article Why does the RADIUS challenge authentication experience appear differently for different users?.

ETA:

If they enter code listed in Duo App, it does not work.

and

If I try the ‘auto’ mode in config file, nothing seems to work.

sound totally unexpected, and perhaps warrant opening a case with Duo Support.