Baron, The duo versions for java are here https://help.duo.com/s/article/9451?language=en_US#api-clients Cas 7.2.x does not have the minimums, and the last commit was late September. Anyone wanting to use duo will have to upgrade to 7.3.x See line 56 in https://github.com/apereo/cas/blob/7.3.x/gradle/libs.versions.toml
Ray ________________________________ From: [email protected] <[email protected]> on behalf of Baron Fujimoto <[email protected]> Sent: December 19, 2025 08:56 To: CAS Community <[email protected]> Subject: [cas-user] Re: Duo root certificate authority bundle replacement? Following up with additional information. We now believe the Duo Unsupported Client reports actually do implicate CAS. Initially we were dissuaded because the Client IP in these reports were not known to be associated with our CAS servers, but we've since learned that all the servers' traffic was NAT'd behind the reported IP. I don't recall seeing this issue being discussed previously on the list, but this seems like a significant issue for those using "cas-server-support-duo". Are such users actually just rare, or is everyone already running CAS 7.3? On Thu, Dec 18, 2025 at 5:40 PM Baron Fujimoto <[email protected]<mailto:[email protected]>> wrote: We are currently running CAS 7.0.x with the "cas-server-support-duo" dependency in our build.gradle overlay. In response to an advisory from Duo re "Duo root certificate authority bundle replacement" (action required by 2025-02-02) <https://help.duo.com/s/article/9451> We tried to determine if we were affected by this. Duo reports in our Unsupported Clients log many entries that are tied to our Identification Key for the Duo app used by our CAS service. It's unclear to us though whether these entries represented CAS itself, or clients using our CAS service. Our initial analysis suggested to us that these entries represented CAS clients using our CAS service. However, we received the following response to our query to Duo support: With CAS, since this is a third party application that has integrated Duo, our team recently got a confirmation from CAS that they have made an update available for the upcoming CA bundle replacement, and you must perform some upgrade or configuration action to use it. And they provided links to the CAS 7.3.0 Duo Security MFA documentation: <https://apereo.github.io/cas/7.3.x/mfa/DuoSecurity-Authentication.html> So is the CAS server actually affected by this issue if using "cas-server-support-duo"? If so, what is the minimum CAS server version required to address this? If there are release notes or something comparable that covers this, a pointer to those would be appreciated as well. -- Baron Fujimoto <[email protected]<mailto:[email protected]>> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081EBD998DF9518D5E85823CEA9A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
