Token MFA seems to not work

Hi, I have setup this Duo MFA with a VPN account, if I use the bypass code the VPN connects, so the AD auth is working. If I just want to auth using the app generated token I still get a push notification to the phone and have to touch on accept. Is there no way to use only one method of MFA, so either a SMS, A token or the push notification?

If I change the policy and only select SMS then how does it work since I can’t put the sms code into the VPN login before I get it, so how does that work?

If I select only Token, then all access fails no matter if the token is correct, If I select only push notifications then what do I put in the VPN login for token, anything? If I select token and push then the token can be incorrect and it does not matter, the connection goes through.

It all seems a bit here and there, is there perhaps a detailed document that explains the options.

Without having any information about which VPN you’re using, or how you configured it to use Duo, I am going to assume you have set it up to use either LDAP via ldap_server_auto or RADIUS via radius_server_auto on the Duo Authentication Proxy. Both of those configurations send an automatic push.

To use a passcode from Duo Mobile for your VPN login are you [appending the passcode](Append Mode in the Duo User Guide) to your password like password,123456?

If you select SMS then it’s correct that the first login attempt fails and you receive a passcode via text message. Then you try the login again, this time appending the passcode you just received to your password.

I configured this with AWS AD and have tested it with the AWS VPN client and Tunnelblick. Using sms does not work, using MFA does not work unless I only make use of the bypass codes, if I have the phone enrolled then it always send the push. I can send you my full LAB test, don’t want to post it here. If you can send me an address to send it to please.

Please don’t send me your lab info or configs. The community is an area for discussion, but isn’t how you open a case for support (see the post How to contact support and get help for Duo).

Did you follow these instructions? How can I use Duo with my AWS Managed Microsoft AD to provide multi-factor authentication for end users connecting to an AWS Client VPN endpoint?? I don’t have any familiarity with the AWS VPN, but the approach described there seems flawed. The Amazon instructions look like it sets up the VPN so it should prompt for a Duo factor separately after primary AD authentication. But, the [radius_server_auto] configuration for the Duo Authentication Proxy expects to receive a string for the password that is just the password and it will send an automatic push or phone call, or the password followed by an appended factor name or passcode, like password,123456. If you are only typing in the passcode, then the Duo proxy likely thinks the passcode is the password, and since there is no other factor or passcode appended to that string, that it should send an automatic push.

Here is something you can try: when you get to where you would enter the Duo passcode, try entering some characters as a fake password, followed by a comma and the passcode you want to use - something like this: abc,123456.

We have not tested that Amazon VPN configuration I linked, but we did test AWS Workspaces with AWS Managed AD + RADIUS, and in that deployment we recommend [radius_server_duo_only] instead of [radius_server_auto]. The reason is because [radius_server_duo_only] does not expect to receive a factor appended to a password, and it does not perform an automatic push. Instead, [radius_server_duo_only] expects to receive just the name of a factor (like push or sms) or just a passcode (123456).

If that experiment I mentioned works to auth you with a passcode, try changing the config on your Authentication Proxy to match what’s in our Duo AWS Workspaces document.

My company currently has duo integrated with AWS Client VPN endpoint (we followed the doc above, using radius_server_auto) and we are testing the use of yubikeys integrated with duo as a means for 2FA. I’m experiencing the same situation as @pwallace mentioned above, we are using openvpn client, which prompts for a username, password, and a static challenge (“Enter MFA Code”), but I’ve found that the static challenge field is useless, any value can be entered, a yubikey, passcode, of any random value and a duo push will always be sent and the value in this field is ignored. I have also tested the suggestion above of appending the duo passcode or yubikey output after the password, like password,passcode and password,yubikey-press but with no success, a duo push is still send the authentication fails stating the username or password was incorrect.

I would like to give our users the option to send a push, sms, or user their yubikey in place of automatically receiving a duo push, but we want to still enforce a password. Ideally, we’d want username, password, then an option for push, sms, passcode or yubikey input. Is this possible?

If you configured radius_server_auto with duo_only_client then that’s basically like doing radius_server_duo_only but with automatic push ability.

Are your VPN users actually authenticating with passwords or are they using certificates?

This is my guess as to what is likely happening:

  1. radius_server_auto + duo_only_client instructs the Duo Authentication Proxy to treat whatever is received in the radius packet for password as the factor, and that it does not need to break apart the password string to separate a primary password from an appended factor (because this config tells the Duo proxy not to do any primary credential verification at all).

  2. Someone types in a value for the password that is not strictly a Duo factor name or passcode. Like, typing in password,123456 to try to auth with a passcode instead of just entering the passcode 123456 in the password field.

  3. The Duo can’t match the full string password.123456 to a valid Duo factor name or passcode, and so it falls back to automatic push.

So, what if you try entering just the passcode value or doing the Yubikey press in the password field, and do not prepend this with the actual password and delimiter?

Yes, that’s correct, our configuration file uses both radius_server_auto with Duo_only_client, but we are using passwords for authentication, not certificates. To test I have tried using sms, push, a passcode, or yubikey output in the password field, I still receive a push notification which I accept and then the vpn connection fails stating the username/password was incorrect. Is there a way for this to work without using certificate based authentication?

Is there a way for this to work without using certificate based authentication?

:shrug: that seems like a question for Amazon?

I can’t really follow what is happening through what is shared here so I suggest you open a case with Duo Support where a technical support engineer can review your configuration and debug log output to help determine what is actually happening.

1 Like

Hello everyone. I came across this while experiencing the same issue. I am able to receive a push for DUO and connect but the extra MFA field seems useless. I was wondering if anyone found a solution to just eliminating the extra MFA field while still being able to receive a DUO push from the AWS client?
It seems to be dependent on the last line in the config but altering or removing that does not seem to help. If anyone has had any luck or created a ticket with AWS, please let me know. Thanks!