All true, but I guess I am still confused by what Duo is doing. If pre-auth just returns AUTH in all cases then what does it return for a bypassed user in Duo from the Iframe? If it is a signed response then everything should be good and CAS would assume the user was authenticated with Duo. Any other return value I think would result in an authentication error and the user would not be allowed to continue.
Travis On Thu, Feb 21, 2019 at 11:02 AM Richard Frovarp <[email protected]> wrote: > 5.1 uses a broken method for bypassing Duo. Or at least broken in some > respects. That's why you get the flash on the screen. 5.1 actually triggers > the widget, and the widget is doing the bypass. CAS doesn't know, so all of > your users under 5.1 are asserting via attribute release that they have > performed MFA, when in fact they may not have. > > 5.2+ added a method that makes an API call to see if the user can bypass. > If the user can bypass, they don't get the MFA iframe appearing. It also > then doesn't assert that MFA has happened when it hasn't. > > What we're doing is that everyone that has to MFA is in an AD group. We > use that to trigger MFA. The Duo integration is configured to always > require MFA, because anyone sent to it will have been asserted by AD to > require Duo. If you need to bypass Duo, you just change the CAS config to > point to an AD group that doesn't exist, touch the file, and away it goes. > Handy for when Duo is down, or your own network is down. > > On 2/21/19 11:38 AM, Travis Schmidt wrote: > > Ok, That might explain it. Does the Duo iframe screen then flash by now > for these users when in the past it did not? > > One way to get around possibly. If you have an attribute available that > marks a user has being enrolled in Duo, You can set a trigger to enforce > Duo on only those users, with name attribute values or groovy script. > Trade off being is that all services will require Duo for anyone enrolled > in Duo, but you should be able to set bypass flags in services or a bypass > script. Depending on how you are set up to use Duo now, this could be a > big or small change. > > Travis > > On Thu, Feb 21, 2019 at 9:30 AM Greg Booth <[email protected]> wrote: > >> We are seeing this issue as well, CAS 5.3.4 using MFA with Duo. We >> believe it is an issue Duo has introduced with their new API. See >> the yellow box under “User Account Status”: >> https://apereo.github.io/cas/5.3.x/installation/DuoSecurity-Authentication.html#user-account-status >> >> Rather than wait for Duo to fix this, we are looking into ways to bypass >> this issue without disabling Duo entirely on our services, using >> Multifactor Authentication Bypass: >> >> https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#multifactor-authentication-bypass >> >> Have not gotten anywhere with this yet, if anyone has experience with >> those config settings, we could use your help. >> >> Greg >> >> On Thu, Feb 21, 2019 at 9:39 AM atilling <[email protected]> wrote: >> >>> CAS version 5.1.9 using MFA with DUO. We had this working fine for about >>> two years at this point. Tuesday it started causing problems for our >>> unenrolled users. We have the DUO setting "allow unenrolled users to pass >>> through without two-factor authentication" but sometime around 5 pm Tuesday >>> all unenrolled users started getting the error "The validation request for >>> ['ST-...'] cannot be satisfied. The request is either unrecognized or >>> unfulfilled." whenever logging into a Duo protected service. >>> >>> Has anyone else experienced this? Did something change with Duo in the >>> last 72 hours? We had to turn off Duo for these services and we don't want >>> to keep it off. >>> >>> Any help would be appreciated. >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d6587944-0b2a-492c-9922-b84d0047486f%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Gregory Booth >> Senior Systems Administrator & Technical Team Lead >> IT Operations >> Information Technology >> Michigan Technological University >> (906) 487-1797 <9064871797> >> www.mtu.edu >> www.it.mtu.edu >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmhzWZgfTVapQ--LXEcNnOLF-dwC%2B%3D6zSLAtnF0hSnN2Vw%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH%2BQwmhzWZgfTVapQ--LXEcNnOLF-dwC%2B%3D6zSLAtnF0hSnN2Vw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNSJGZZkr-knNrb5kDUcRda6BBDY_KRqDEsXnSz6nMrw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbNSJGZZkr-knNrb5kDUcRda6BBDY_KRqDEsXnSz6nMrw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/985ac6a9-1263-c9d1-6257-bdc22f948bfd%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/985ac6a9-1263-c9d1-6257-bdc22f948bfd%40ndsu.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYtq0jXN%2B6bdS2hnj86YzMTcbbPDCvHZCT-Kw-kC44mwg%40mail.gmail.com.
