Skip to main content

Error when switching from DUO to TOTP authentication

Answered

Comments

4 comments

  • Dana Anderson
    Product Support

    Hello, William. 

     

    I think what you are seeing is the correct behavior. I'm going to reach out to our internal teams for additional feedback on this. 

    We will get back to you ASAP. 

    0
  • Dana Anderson
    Product Support

    Hi, William. 

    Switching between the two modes is a situation that we haven't accounted for when we added support for DUO. 

    The current workaround as you described is to disable 2FA for each user. However if you have a large amount of users updating each one could take ahwile. 

    My suggestion if necessary is to update the "user custom settings" XML file directly. (C:\ProgramData\Cerberus LLC\Cerberus FTP Server)

    Before making any changes, you should shut down the Cerberus service and I would also backup this file up before making any changes. 

    The "user custom settings.xml" file will allow you to manually set the multifactor authentication settings.

    For example, this was the original XML for a user configured with DUO:

    <ns1:multiFactor type="duoWeb" status="enabled">
    <ns1:value format="none" prot="none" key=""></ns1:value>
    </ns1:multiFactor>

    This is the new XML when disabled by updating status to be "disabled"

    <ns1:multiFactor type="duoWeb" status="disabled">
    <ns1:value format="none" prot="none" key=""></ns1:value>
    </ns1:multiFactor>

    After restarting the service, and assuming that the user is required to have 2FA for HTTP/S, the next time they attempt to log in, they will be prompted to set up 2FA with TOTP.

    I don't have a timeline at moment as this will require some heavy lifting on the back end but we will address this in a future release. 

     

    0
  • Jeff

    I realize this is an old post but it's top in the search results. In v.2024.2, I tried to switch from TOTP to DUO and it fails to work. This truly seems to be a bug. I have tried everything that I could find including adding the DUO intermediate cert to the server, restarting the Cerberus service after changes, manually editing user_custom_settings_5.0.xml and creating new user accounts.

    Everything seems to work until I get a "code did not match" error.

    To reproduce the error above, 1) I tick the box to use DUO in the admin. It doesn't matter if I disable 2FA, per user account, before or after nor does it matter if I restart the Cerberus service. I get the same results. 2) From a PC,  I login to the Cerberus user account and disable 2FA and then re-enable it and login. I get the DUO push notification on my phone, I select allow and then I get the DUO success message on the PC as depicted below:

    I still get logged into the account but like I said, I get that error depicted in the first image above.

    This is what I see in the admin and in the client:

    This is what's in user_custom_settings_5.0.xml for 2FA for the user with DUO enabled in the admin and after I attempt to login as a user:

    I have tried changing the status to enabled but it doesn't seem to have any effect even if I make the change with the Cerberus service stopped.

    Can you folks in Cerberus Support reproduce this issue with v.2024.2?

     

    0
  • Connor Woolfolk
    Community Manager

    Hello Jeff,

    I've gone ahead and created a support ticket regarding your request, as this may be something we need to investigate and communicate directly with you to resolve. We'll pick up communication there, and our team will begin taking a look into this.

    0

Please sign in to leave a comment.