Devolutions ForumDevolutions Forum

Use Duo MFA for application access to RDM

Implemented

Use Duo MFA for application access to RDM

0 vote

avatar
Sam Spronk

Hi Team

We currently use Google Authenticator which prompts staff as they launch RDM - they cannot get into RDM without entering the OTP. I believe this is forced via a System Setting, under Applications Settings > "Force application security with TOTP (Authenticator). This works well but is not as nice of an experience as using Duo and a push notification. We are also transitioning a lot of our services over to Duo and would be nice to include RDM in that.

I understand we can use Duo in RDM to access a Data Source, which works really well, but is slightly different to the above situation. We allow staff to use the RDM data source offline - we do this as we can't afford for staff to not get access to RDM if the data source is offline for a period (this can also happen with the myriad of VPNs that we need to connect to that can sometimes force us to lose direct access to RDM). I looked at using the Duo MFA on the data source which does work nicely - however if the staff member doesn't have internet and launches RDM - no connection to the data source is made and then access is granted - I'm trying to avoid that loophole.

I also need to make sure this is governed by a system setting - we can't rely on staff to configure a setting themself. In an ideal world it would work exactly how we are currently using it with the force application security setting - but use Duo instead of TOTP (Authenticator) option.

I hope I've explained myself and made sense, also happy to try a few options if you think we can do this with what is currently in place. I did raise a support request already and support suggested I raise a feature request. Support request is: 00016992 in case you want to read that too.

We're currently on 2022.2.18.0 - I see a few Duo Improvements since this version but didn't look to cater for above.

Thanks

Sam

All Comments (8)

avatar
Hubert Mireault

Hello,

From what I understand, the concern is that DUO is not prompted when using RDM offline, is that right? And your DUO is configured on the application level?

If so there is a configuration in the System Settings just for that:
forum image

Configuring this option will make it so every user connecting to this datasource, if they try to go offline, will need to enter their configured application 2FA (in your case, Duo) before being allowed to go offline. Please note that if you truly have no internet connection and your 2FA requires it (which Duo should), you will not be able to connect to your datasource despite having the offline mode enabled.

I believe this option should exist on the version you're on as well.

Let us know if this works for you.

Regards,

Hubert Mireault

avatar
Sam Spronk

Hi Hubert

Thanks for responding, I guess what I am really after is that this setting (in my screenshot below System Settings > Applications > Force application security with TOTP (authenticator) ) was compatible with Duo and not just the Authenticator app.

That setting allows us to force MFA as soon as staff use RDM, and a few other options such as on idle, on windows lock etc. The issue with applying Duo to the data source and potentially setting that option you have suggested - while that may somewhat work - we do connect to a lot of different customer VPNs, quite often when that VPN gets connected other local network settings are disabled and the staff member loses access to the RDM data source - in this situation it would go into offline mode, and then while the staff member is busy trying to connect to the customer's VPN they now have to complete a DUO MFA prompt because the data source has gone offline.

If it was possible to use Duo when opening RDM - it won't matter if the data source is offline or online.


forum image

avatar
Hubert Mireault

Hello,

Thank you for the clarification. So it's more about making sure that everyone using RDM has Duo configured as the application 2FA? We could definitely add a "force application security with Duo" that acts like the option for TOTP but for Duo instead. Of course please correct me if I misunderstood or if there's something else you'd need alongside that.

I will open a ticket for this and we will post in this thread once we have an update.

Regards,

Hubert Mireault

avatar
Sam Spronk

Hi Hubert

Sorry I have been away on leave, correct. you have nailed it.

avatar
Jafran Majeau

Hello,

We've added this to the System Settings specifically for Duo (in the same area presented by Hubert above), which will be available in the upcoming 2023 version (this march, hopefully). There already is a GPO setting for MFA, and it can be used to apply Duo as well.

Regards,

Jafran Majeau

avatar
Sam Spronk

Hi Jafran

Thanks for the update, look forward to giving it a try

avatar
Sam Spronk

I noticed this line in the latest Improvements

  • Added default Duo settings to the system settings



Checking if that is related to this post or something else?

avatar
Jafran Majeau

Hello,

We have implemented the Duo Settings to System Settings, and this should be part of the latest release.

Regards,

Jafran Majeau