Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
1
Replies

Macbook and FortiClient protection

jsnyder2
Level 1
Level 1

‎02-14-2022 01:50 PM

When using FortiClient and Duo on a Macbook, I’m presented with some challenges.

For Duo, I have authproxy set to ‘challenge’ mode.

On my test Macbook, I get prompted as expected for Push, SMS, call (although all option items are listed twice). I type ‘push’ and it works as expected.

On end-users Macbooks, there is no listing in the prompt. It simply says enter code or type in option, but it doesn’t specifically list the options. This is not a problem per se, as if they type push, then it works as expected. If they enter code listed in Duo App, it does not work. My concern is more, why is it different from one Mac to another and how can I make sure it’s consistent for all users?

If I try the ‘auto’ mode in config file, nothing seems to work. Not a fan of ‘auto’ in the config file. Change my mind. T

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎02-16-2022 11:58 AM

The Duo text-based prompt sent as a RADIUS challenge has to fit within the character limits of a RADIUS packet. The contents of that challenge text may differ from user to user, depending on how many devices they enrolled, if they gave their enrolled devices their own free-text name, if they previously requested a batch of SMS passcodes, etc.

If Duo thinks that the response won’t fit in that character limit then it automatically changes the format from console (which includes the factor descriptions and newline formatting) to short (which is a much shorter text challenge that only lists the factor names).

The prompt_format options for RADIUS challenge are described in the Authentication Proxy Reference, including the info about falling back to short format and there’s a more detailed explanation of this in the KB article Why does the RADIUS challenge authentication experience appear differently for different users?.

ETA:

If they enter code listed in Duo App, it does not work.

and

If I try the ‘auto’ mode in config file, nothing seems to work.

sound totally unexpected, and perhaps warrant opening a case with Duo Support.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents