03-07-2018 02:00 PM
What are you using for the first factor(what is your Duo Auth Proxy pointing to for the first factor)? Active Directory?
If using AD for the first factor, and Duo for the second factor, try this...
- Create an Authentication Profile in PA that uses LDAP and points to your Domain Controllers.
- Apply this LDAP Auth Profile to your Portal.
- Create an Authentication Profile in PA that uses RADIUS and points to your Duo Auth Proxy.
- Apply this RADIUS Auth Profile to your Gateway.
...with this configuration, users will authenticate to your Portal via AD only, and to your Gateway via Duo MFA. I believe, after authenticating to the Portal, the GP agent will take the username/password used to authenticate to the Portal, and send them to the Gateway. The expected behavior here is, the user should only have to enter in their password once, and their OTP once. Or, if you save user credentials in GP, the only thing the user has to do is authenticate against the second factor.