Token MFA seems to not work

Hi, I have setup this Duo MFA with a VPN account, if I use the bypass code the VPN connects, so the AD auth is working. If I just want to auth using the app generated token I still get a push notification to the phone and have to touch on accept. Is there no way to use only one method of MFA, so either a SMS, A token or the push notification?

If I change the policy and only select SMS then how does it work since I can’t put the sms code into the VPN login before I get it, so how does that work?

If I select only Token, then all access fails no matter if the token is correct, If I select only push notifications then what do I put in the VPN login for token, anything? If I select token and push then the token can be incorrect and it does not matter, the connection goes through.

It all seems a bit here and there, is there perhaps a detailed document that explains the options.

Without having any information about which VPN you’re using, or how you configured it to use Duo, I am going to assume you have set it up to use either LDAP via ldap_server_auto or RADIUS via radius_server_auto on the Duo Authentication Proxy. Both of those configurations send an automatic push.

To use a passcode from Duo Mobile for your VPN login are you [appending the passcode](Append Mode in the Duo User Guide) to your password like password,123456?

If you select SMS then it’s correct that the first login attempt fails and you receive a passcode via text message. Then you try the login again, this time appending the passcode you just received to your password.

I configured this with AWS AD and have tested it with the AWS VPN client and Tunnelblick. Using sms does not work, using MFA does not work unless I only make use of the bypass codes, if I have the phone enrolled then it always send the push. I can send you my full LAB test, don’t want to post it here. If you can send me an address to send it to please.

Please don’t send me your lab info or configs. The community is an area for discussion, but isn’t how you open a case for support (see the post How to contact support and get help for Duo).

Did you follow these instructions? How can I use Duo with my AWS Managed Microsoft AD to provide multi-factor authentication for end users connecting to an AWS Client VPN endpoint?? I don’t have any familiarity with the AWS VPN, but the approach described there seems flawed. The Amazon instructions look like it sets up the VPN so it should prompt for a Duo factor separately after primary AD authentication. But, the [radius_server_auto] configuration for the Duo Authentication Proxy expects to receive a string for the password that is just the password and it will send an automatic push or phone call, or the password followed by an appended factor name or passcode, like password,123456. If you are only typing in the passcode, then the Duo proxy likely thinks the passcode is the password, and since there is no other factor or passcode appended to that string, that it should send an automatic push.

Here is something you can try: when you get to where you would enter the Duo passcode, try entering some characters as a fake password, followed by a comma and the passcode you want to use - something like this: abc,123456.

We have not tested that Amazon VPN configuration I linked, but we did test AWS Workspaces with AWS Managed AD + RADIUS, and in that deployment we recommend [radius_server_duo_only] instead of [radius_server_auto]. The reason is because [radius_server_duo_only] does not expect to receive a factor appended to a password, and it does not perform an automatic push. Instead, [radius_server_duo_only] expects to receive just the name of a factor (like push or sms) or just a passcode (123456).

If that experiment I mentioned works to auth you with a passcode, try changing the config on your Authentication Proxy to match what’s in our Duo AWS Workspaces document.