Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Changing Duo Credentials to the Universal Prompt
Starting with ClearPass 6.11.8, existing ClearPass multi-factor authentication Multi-factor authentication (MFA) lets you require multiple factors, or proofs of identity, when authenticating a user. Policy configurations define how often multi-factor authentication will be required, or conditions that will trigger it. (MFA) configurations that use the traditional Duo Prompt must be updated to use new Duo Universal Prompt credentials instead. This section provides instructions for creating the new Duo credentials and updating the ClearPass MFA configuration.
As of March 30, 2024, Duo Security no longer supports the traditional Duo Prompt. If you have existing traditional Duo Prompt configurations they will continue to work, but if support is needed it will not be provided. Duo will only provide support for the Universal Prompt on Duo Free, Duo Essentials, Duo Advantage, or Duo Premier. Duo made this change in order to replace the iFrame technology that was used to render the traditional prompt in the user’s browser with newer, safer methods for rendering the prompt. Duo will no longer support iFrame technology nor any dependencies on iFrame in the Duo Prompt.
As part of this change, customers who have existing ClearPass Guest and Onboard ClearPass application for automating 802.1x configuration and provisioning for “bring your own device” (BYOD) and IT-managed devices across wired, wireless, and virtual private networks (VPNs). Information Onboard collects during device onboarding is sent to Profiler and used for device category, family, and name classification. ClearPass Onboard configuration options are accessed through the Onboard module in the ClearPass Guest application. MFA configurations that use the traditional Duo Prompt must create new Duo Universal Prompt credentials and update their ClearPass MFA Duo configuration when they update to ClearPass 6.11.8 or later versions. This process is completed partly in Duo and partly in ClearPass, as described below. After March 30, 2024, if the customer performs a patch rollback from 6.11.8 to an earlier 6.11.x version, Duo integration will not work.
Creating the new credentials in Duo:
1. Go to https://signup.duo.com/ to create a new account.
2. After the account is created, go to https://admin.duosecurity.com and log in. The Duo Dashboard opens.
3. In the Duo Dashboard’s left navigation, go to and in the search field In a database or a user interface, a single item of information; attribute. enter the name of the application whose configuration you want to update. The Duo Dashboard shows a list of all similar names.
4. In the row for the application, click the link. The form Interactive page in the application where users can provide or modify data. opens.
5. The new , , and values are displayed. Copy these values carefully as you will need to supply them in the ClearPass MFA configuration.
6. Scroll down on the page to the area. In the field, enter a preferred value for the name that will be shown to users in push notifications during authentication Verification of a user’s credentials. Typically accomplished with a username and password, a one-time token, or a digital signature. to verify logins.
Updating the MFA configuration in ClearPass 6.11.8 or later for web logins and Onboard:
1. If you have Duo MFA configured for web logins, in scroll to the area and select as the provider. Notice that, in 6.11.8 and later, the legacy and fields are no longer shown and are now replaced by the field instead.
2. In the , , and fields, enter the new credential values exactly as they were provided in the Duo Dashboard’s page. If any of the credential values are entered incorrectly, users’ logins will fail and they will see the error message “Configuration Error. Please contact your administrator.”
3. If you have Duo MFA configured for ClearPass Onboard, repeat these steps at .
4. Go to and verify that the ClearPass server's configured time is synchronized with the actual current time. If these times do not match after the new Duo credentials are created, then when a user logs in to ClearPass and initiates a Duo MFA request, Duo returns the error "Invalid request object: Request has expired."
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it? Send your comments and suggestions!