Use Duo authentication with VPN

Tags PK18

Issue/Question

  • How do I authenticate with Duo when using VPN?

Scope

User

  • All current Miami University Students, Faculty, and Staff

Environment

  • 312306: Duo Security Two-factor Authentication
  • 10393: VPN AnyConnect Client
    • Cisco AnyConnect

Rationale

  • Two-factor authentication adds a second layer of security to your Miami account. It allows you to verify your identity using a second factor — your smartphone or other mobile device, YubiKey U2F device, or landline — and prevents anyone else from logging in to your account

Resolution 

  • Important Notes:
    • If your MUnet password contains a comma, you will need to change your password to something that does not contain a comma in order to successfully authenticate in to VPN. VPN authentication with Duo uses a comma after a person's password to denote either a Duo passcode or the method of Duo authentication to be used
      • If don't have Duo Mobile installed on a device, a comma is required followed by your preferred Duo method. Using a comma after the password will allow the following options: phone, push2, phone2, passphrase, sms, and sms2. Example: 'password, [Duo option]'
    • If you intend to use a Yubikey when authenticating with Duo to VPN, you must have the YubiKey configured by a Duo Administrator in the Duo Admin console. Email us at ITHelp@MiamiOH.edu and request to have your YubiKey token configured for use with VPN. IT Services will call you back and ask for three pieces of information about your YubiKey — the serial number, private identity, and secret key — which you will find in the YubiKey personalization tool
    • The first time you use the VPN with Duo, you must enter your Duo code within 12 seconds due to an unchangeable setting in the VPN. If there is latency in generating the code, you may miss this window. For this reason, we recommend that you generate an SMS passcode or a passcode via the Duo app prior to attempting to connect to the VPN, and then use the If you prefer to use a passcode, enter... method below for your first connection. After your first successful connection, the default setting will be changed to 60 seconds and any of the options listed below should work for you.
  1. Launch the Cisco AnyConnect client and select the desired VPN
  2. Click connect and provide your UniqueID
    • Entering the password will generate a Duo push to your installed Duo mobile app on your first enrolled device — this is the default behavior for Duo and VPN
  3. If you don't have Duo Mobile installed on a device or you prefer a different authentication method, a comma is required followed by your preferred Duo method:
    • If you prefer Callback as your method to authenticate with Duo enter your password followed by a comma (',') followed by the word phone (or phone2 if you want the call to go to your secondary phone device) and then click OK
    • If you prefer to use a hardware token (like a Yubikey), enter your password followed by a comma (','), touch your hardware token and then click OK
    • If you prefer to use a passcode, enter your password followed by a comma (','), enter a passcode, and click OK
    • If you prefer to use a passcode, but need a passcode, enter your password followed by a comma (',') followed by the word sms (or sms2 if you want the passcode to be sent to your secondary phone device) and then click OK. The current login will fail, but you will be sent passcodes to your device that can be used on the next login attempt.
    • If you prefer to have a push sent to your secondary device, enter your password followed by a comma (',') followed by the word push2 and then click OK

 

Was this helpful?
0 reviews

Details

Article ID: 68883
Created
Wed 12/12/18 4:02 PM
Modified
Thu 3/14/19 1:12 PM
Can you resolve this issue yourself?
Can the end-user resolve the issue using the instructions given?
Or does the end-user need to request assistance from Miami UIT, a client office, or a vendor?
Yes! This is self-service with a smile.