I'm an end-user of Duo at the day job and relatively happy with it. Was not
involved in the setup, though. OTOH I remember someone in #lopsa saying
they had problems with them and had been unhappy. Can't remember who or why
offhand, hopefully they'll chime in on this thread.
I will note that the most common problem with Duo that I've personally seen
is when folks have it configured to give them a phone call instead of
running the app and getting a push notification. In our setup, to access
the windows jumpbox we start an RDP session, and after normal user auth, it
then triggers a Duo challenge. But the phone call setting seems to get
delayed enough that the RDP session fails with a network policy error.
People adjusting their user config with push notifications works better. I
have not looked into seeing if you can just blanket disable that option,
but it seems a bit odd that they offer that as a service when it doesn't
work; then again, we may have a more aggressive timeout policy on the Duo
portion than is recommended. Again, wasn't involved in the setup as it
predated me, so I'm not sure.
I know it also works with Linux boxes and that's on my list to check out,
just haven't gotten to it yet. We'd likely only enable it on nodes with
public IPs that have SSH listening/allowed, so it has been low on my
Duo is also apparently free depending on how many users/devices you have,
whereas last time I heard about the RSA setup, it was very expensive. I'm
planning on adding Duo support to my personal AWS Linux nodes for SSH (so
key+MFA auth, no passwords allowed).
On Wed, Nov 30, 2016 at 10:31 AM, Kyle Stewart <_kylestew...@outlook.com>
> Hi all, hope this email finds everyone well. We're looking into setting up
> two-factor authentication at my company for a 2017 project and I'm in the
> "Let's get the lay of the land" phase. Right now it seems like Duo is
> making big headway in this market, but I've heard good things about RSA as
> well. I'd love to get some first-hand feedback from people who have used
> these types of 2FA solutions who aren't sales people :)
> Overall I get what 2FA/MFA does, but I'm blurry on how it gets implemented
> - at face value I'm very interested in Duo so if anyone has experience with
> Duo and setting it up (preferably alongside Palo Alto's and GlobalProtect)
> that'd be fantastic.
> Thanks in advance!
> Kyle Stewart
> Discuss mailing list
> This list provided by the League of Professional System Administrators
Discuss mailing list
This list provided by the League of Professional System Administrators