I’m hoping someone can help me out - I’ll try to explain my situation as clearly as possible.

I believe the problem lies around Policy and the appropriate settings. I’ve created an application for Palo Alto GlobalProtect using Single Sign On. Everything works, the issue is when to ask for the 2nd factor, and when not to…

Currently, not all staff are part of our MFA/2FA solution, and therefore unknown to Duo, so I need to edit the Global Policies “New User Policy”, and the “Authentication policy” respectively. But it doesn’t seem to work - I’m just not getting the right results.

I’ve set the New User Policy to Allow access without 2FA (Allow users unknown to Duo to pass through without two-factor authentication. Users who exist in Duo and have not enrolled will be required to enroll.)

However this doesn’t fix my issue, as the Authentication Policy trumps the above mentioned settings:

1. If it’s set to “Enforce 2FA” Users known to DUO are prompted for their second factor; but users who are NOT yet in DUO (who should be bypassed) are being sent through the enrollment process, which at this time it’s not what we want.

2. If it’s set to Bypass 2FA, ALL users - even those in DUO have their second-factor bypassed.

I need Users who are IN duo to be prompted for 2FA, and those NOT in Duo to be bypassed without going through the enrollment process.

Any help would be greatly appreciated.

Thank you in advance.

Hi @Chris_Wilson ,

Your policy settings appear to be correct. The way these two policies work together depends on the user’s state in Duo:

Workflow wherein the user will be prompted to enroll in Duo:
New User Policy = Allow Access without 2FA + Authentication Policy = Enforce 2FA + User Enrollment State = Partially Enrolled (user is known to Duo but no 2FA device associated yet).

Workflow wherein the user will be prompted for Duo 2FA:
New User Policy = Allow Access without 2FA + Authentication Policy = Enforce 2FA + User Enrollment State = Fully Enrolled (known to Duo and with a 2FA device already associated).

Workflow wherein the user will NOT be prompted for Duo 2FA:
New User Policy = Allow Access without 2FA + Authentication Policy = Enforce 2FA + User Enrollment State = Unenrolled (username does not exist in Duo).

Could it be that users who are Partially Enrolled are the ones who are being prompted to enroll? I would also check for any Application or Group policies that may be in play. The behavior you are describing sounds like the New User Policy is set to Require Enrollment, which is what performs inline enrollment.

Why are Duo users being prompted to enroll or denied access when my New User Policy is set to allow access without 2FA?

Hope this helps!