Devolutions ForumDevolutions Forum

Passportal credential asking for Duo MFA despite Duo in bypass mode

Implemented

Passportal credential asking for Duo MFA despite Duo in bypass mode

avatar
lowellp

When we set up Passportal as a credential, it works great until we enable Duo MFA for the customer's Passportal tenant. We enforce Duo MFA for all users, so that includes the Support admin account which is used in RDM to access shared credentials.
That means that whenever we try to connect to a computer, it tries to get the credential and then asks for Duo MFA. That's fine, except that we don't want that in this case. We set the Support admin account in Duo to be bypassed completely. Yet RDM still asks for the Duo MFA code when using the credential.
I can log on to Passportal's website with the Support admin account without being prompted for Duo MFA when it is in bypass mode, so I know the bypass is working fine, just not within RDM. Whether or not Duo MFA is enabled for the Support admin account, RDM asks for a Duo MFA code.

A couple of ideas:

  1. Ideally, I don't want to bypass MFA completely for the Support admin user account. I'd like to instead set up a permanent bypass code, then put that code into the credential so that RDM passes that each time the credential is used. Is that currently possible or would that take a feature change?
  2. If the above will have to go to dev, could the issue be fixed in the meantime so when we've set the Duo user to be bypassed, RDM won't ask for MFA?

All Comments (11)

avatar
Hubert Mireault

Hello,

From what I can see of the integration, we currently don't support bypassing Duo. We will have to look into what the Passportal API provides. I have opened a ticket for investigation, we will get back to you in this thread once we have an update.

Regards,

Hubert Mireault

avatar
lowellp

Thanks, Hubert. I did discover that we could set up a permanent bypass code, and once we used that in on RDM session it seemed to work (not prompt) when connecting to other computers. So that's not too bad of a workaround. We just want techs to use RDM more as there's good auditing both there and with Passportal/Duo, so the less speed bumps the better.

avatar
Hubert Mireault

I'm glad you found a workaround for the moment. As you say though, the easier it is to onboard your team, the better, so we're definitely keeping the ticket opened so we can improve the integration.
Out of curiosity since I'm not familiar with the bypass code, is it something that replaces the password in the authentication? In what field did you configure it in RDM?

Regards,

Hubert Mireault

avatar
lowellp

So the Duo bypass code is set up in Duo, in the user's section. You can set it with all sorts of parameters; single use, multiple use, time-limited, or unlimited use. In this case we'd set up an unlimited use code. It's just entered in when RDM asks for the MFA code.

As to where to configure it in RDM, that's what I'd like to see. In the credential, when using Passportal, it'd be great to have a password field that's for the Duo bypass code. But I also realize that the Passportal settings don't really have anything to do with Duo. That might be hard for RDM to do.

avatar
Hubert Mireault

Hello,

Thank you for the information, that's interesting to know. So it acts as a sort of replacement to the Duo check, which you enter when RDM expects the MFA.

If there's nothing regarding this in the Passportal API, we could always add a field for this code that RDM would send when it usually asks the user for the MFA code.

Regards,

Hubert Mireault

avatar
lowellp

OK, that'd be great. One thing that's always impressive with RDM is how many features you folks keep adding, updating, and improving.

avatar
lowellp

Any update?

avatar
Richard Boisvert

Hello Lowell,

The internal ticket is still on the to do list. I will ask the engineering team if they can increase the priority.

Best regards,

Richard Boisvert

avatar
Hubert Mireault

Hello Lowell,

Just to let you know, while this couldn't make it for our 2023.1 release, this is planned for 2023.2 (and maybe we will be able to squeeze it in a minor update for 2023.1, but no promise).

Regards,

Hubert Mireault

avatar
lowellp

Nice! Thanks for the update! Will be nice to not have a workaround that adds its own insecurities.

avatar
Hubert Mireault

Hello,

Good news, I can confirm we will have the field "Duo bypass code" in Passportal entries starting with RDM 2023.2 which is planned for release this June. I tested it on my end and it works well. Hopefully it will make life easier for you.

Regards,

Hubert Mireault