Description: Access Server applies the Duo post-auth script globally, but you may want to remove Duo MFA from either the "openvpn" account or other user accounts.
You can accomplish this in one of two ways, both explained in detail below:
Method #1 — Set user to "bypass" in Duo
You can define "openvpn" or any of your users as Bypass Users in Duo.
- Sign in to your Duo admin dashboard.
- Click Users.
- Click the specific user, such as openvpn.
- Under Status, check the radio button for Bypass.
- Click Save Changes.
You've modified the user and can see them noted as a bypass user from the Duo dashboard.
Method #2 — Disable post-auth for the user from the Access Server command line
You can use the 'prop_pas_disabled' directive to disable post-auth for a specific user:
- Connect to your Access Server CLI (through terminal, using SSH, or using an app such as PuTTY).
- Enter the following commands (the 'prop_pas_disabled' directive disables the Duo post-auth script for a user)
sudo suWhere "openvpn" is the user that you want to bypass the post-auth (DUO)
./sacli -u openvpn -k 'prop_pas_disabled' -v 'true' UserPropPut
Note: You must be on Access Server version 2.10 or newer and if you have any other post-auth scripts in use, the command disables those as well.
If you have additional questions, please submit a ticket.