leftHanded,
While it is possible for two [radius_server_xxx] sections to listen on the same port, we don’t recommend or officially support this configuration for a couple of reasons. One of them you already pointed out: creating a unique server sec...
mrivett,
PAM does provide some flexibility as to when/how to trigger 2FA.
For example, you can configure PAM to require 2FA for BOTH password and key login:
https://help.duo.com/s/article/3745
You can also configure PAM + SSH to fallback to password ...
I forgot to answer your second question “Is there a way to block enrollment for a group”
Setting the new user policy to “deny access” will essentially prevent inline enrollment AND blocks access to the application until the user enrolls a device thr...
Excellent, so you definitely have some flexibility on how to approach this.
In your case, it still sounds like your best and the least complex approach is to set your new user policy for each application to “Allow” and then ensure that the groups you...
Unfortunately the workarounds are limited due to how we currently treat those “partially enrolled” users.
For those new to Duo, we define a partially enrolled user as username that exists in Duo but has no 2FA devices attached. This is an important ...