Changing Duo Credentials to the Universal Prompt

Starting with ClearPass 6.11.8, existing ClearPass multi-factor authentication Multi-factor authentication (MFA) lets you require multiple factors, or proofs of identity, when authenticating a user. Policy configurations define how often multi-factor authentication will be required, or conditions that will trigger it. (MFA) configurations that use the traditional Duo Prompt must be updated to use new Duo Universal Prompt credentials instead. This section provides instructions for creating the new Duo credentials and updating the ClearPass MFA configuration.

As of March 30, 2024, Duo Security no longer supports the traditional Duo Prompt. If you have existing traditional Duo Prompt configurations they will continue to work, but if support is needed it will not be provided. Duo will only provide support for the Universal Prompt on Duo Free, Duo Essentials, Duo Advantage, or Duo Premier. Duo made this change in order to replace the iFrame technology that was used to render the traditional prompt in the user’s browser with newer, safer methods for rendering the prompt. Duo will no longer support iFrame technology nor any dependencies on iFrame in the Duo Prompt.

As part of this change, customers who have existing ClearPass Guest and Onboard ClearPass application for automating 802.1x configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs). Information Onboard collects during device onboarding is sent to Profiler and used for device category, family, and name classification. ClearPass Onboard configuration options are accessed through the Onboard module in the ClearPass Guest application. MFA configurations that use the traditional Duo Prompt must create new Duo Universal Prompt credentials and update their ClearPass MFA Duo configuration when they update to ClearPass 6.11.8 or later versions. This process is completed partly in Duo and partly in ClearPass, as described below. After March 30, 2024, if the customer performs a patch rollback from 6.11.8 to an earlier 6.11.x version, Duo integration will not work.

Creating the new credentials in Duo:

1. Go to https://signup.duo.com/ to create a new account.

2. After the account is created, go to https://admin.duosecurity.com and log in. The Duo Dashboard opens.

3. In the Duo Dashboard’s left navigation, go to Applications > Protect an Application and in the search field In a database or a user interface, a single item of information; attribute. enter the name of the application whose configuration you want to update. The Duo Dashboard shows a list of all similar names.

4. In the row for the application, click the Protect link. The Details form Interactive page in the application where users can provide or modify data. opens.

5. The new Client ID, Client secret, and API hostname values are displayed. Copy these values carefully as you will need to supply them in the ClearPass MFA configuration.

6. Scroll down on the Details page to the Settings area. In the Name field, enter a preferred value for the name that will be shown to users in push notifications during authentication Verification of a user’s credentials. Typically accomplished with a username and password, a one-time token, or a digital signature. to verify logins.

Updating the MFA configuration in ClearPass 6.11.8 or later for web logins and Onboard:

1. If you have Duo MFA configured for web logins, in ClearPass Guest > Configuration > Pages > Web Logins scroll to the Multi-Factor Authentication area and select Duo Security – Two Factor Authentication as the provider. Notice that, in 6.11.8 and later, the legacy Duo AKEY and Duo Integration Key fields are no longer shown and are now replaced by the Duo Client ID field instead.

2. In the Duo Client ID, Duo Secret Key, and Duo API Hostname fields, enter the new credential values exactly as they were provided in the Duo Dashboard’s Details page. If any of the credential values are entered incorrectly, users’ logins will fail and they will see the error message “Configuration Error. Please contact your administrator.”

3. If you have Duo MFA configured for ClearPass Onboard, repeat these steps at ClearPass Onboard > Deployment and Provisioning > Provisioning Settings.

4. Go to Policy Manager > Administration > Server Manager > Server Configuration > Set Date & Time and verify that the ClearPass server's configured time is synchronized with the actual current time. If these times do not match after the new Duo credentials are created, then when a user logs in to ClearPass and initiates a Duo MFA request, Duo returns the error "Invalid request object: Request has expired."