Configuring user groups for multifactor authentication with Duo Security

After you configure multifactor authentication on the system, you must enable multifactor authentication for user groups and add users to those groups in Duo Security.

As part of multifactor authentication configuration, you must enable the function per user group. The system supports enabling multifactor authentication for local and remote user groups.

The security administrator must define all local users manually in Duo Security. When users log into the system with multifactor authentication, their username is used to look up the required second factor in Duo Security. Users can set up multiple second factors to avoid getting locked out of the system.
Note: When you configure multifactor authentication for the first time, follow these guidelines to avoid getting locked out of the system unintentionally:
  • Ensure at least one user with Security Administrator role does not have multifactor authentication enabled. If the security administrator gets locked out of the system because of errors in the multifactor authentication set up, the additional user can still access the system.
  • Enable multifactor authentication on a user group without logged in users or leave an SSH session active to avoid locking out users on the system.

For information on how to configure directory synchronization for remote users with Duo Security, see Duo Directory Synchronization.

Using the management GUI

To enable multifactor authentication on user groups, complete these steps:
For existing user groups:
  1. In the management GUI, select Access > Users by Group.
  2. Select the user group from the left navigation and select User Group Actions > Properties.
  3. On the User Group Properties page, select On under Multifactor Authentication to enable second-factor authentication for all users with the user group. These users authenticate with the first factors that are stored on the local system and then are required to provide a second factor to access the system through a supported authentication service.
  4. Click OK.
For new user groups for local users:
  1. In the management GUI, select Access > Users by Group > Create User Group.
  2. On the Create User Group page, enter the following information:
    Group Name
    Enter a name of the user group.
    Ownership Group
    If ownership groups are configured on your system, you can select an ownership group for the user group.
    Multifactor Authentication
    Select On to enable second-factor authentication for local users on the system. These users authenticate with the first factors that are stored on the local system and then are required to provide a second factor to access the system through a supported authentication service.
    Role
    Select a role that for the user group.
  3. Click Create.
  4. Select Access > Users by Group > Create User.
  5. On the Create User page, enter the following information:
    Name
    Enter a user name for the user. This user name must match the user name that is added on Duo Security.
    Authentication mode
    Select Local.
    User Group
    Select the name of the user group that the local user belongs to.
    Password
    Enter a password that is used as the first factor for management GUI access.
    SSH key
    For CLI users, include a public SSH key that is used as the first factor for CLI access.
  6. Click Create. Repeat these steps for all local users.
For new user groups for remote users:
  1. Select Access > Users > Create User Groups and enter the following information:
    Group Name
    Enter the name of the group that is on the remote LDAP server. The name of the group on the system must match.
    Ownership Group
    If ownership groups are configured on your system, you can select an ownership group for the user group.
    Remote Authentication
    Select LDAP.
    Multifactor authentication
    Select On to enable second-factor authentication for remote users on the system. These users authenticate with the first factors that are stored on the remote LDAP server and then are required to provide a second factor to access the system through a supported authentication service.
  2. Remote users are defined on the remote authentication service. Only remote users who require access to the command-line interface using a Secure Shell (SSH) key, need to be created. To create remote users, who require access to the command-line interface, select Access > Users by Groups > Create User and enter the following information:
    Name
    Enter a name for the user.
    Authentication mode
    Select Remote.
    SSH key
    For remote users who require to access the system, select the public SSH key which stored locally on the system.
    Repeat these steps for all remote users.

Using the CLI

To enable multifactor authentication on user groups, enter the following commands:
For existing user groups
chusergrp -multifactor yes <id or name of group>
For new user groups for local users
mkusergrp -name name -role role -multifactor yes
For new user groups for remote users
mkusergrp -name name -role role -multifactor yes -remote