Vault: Setting Vault MFA Duo config for username_format

Created on 11 Nov 2016  路  1Comment  路  Source: hashicorp/vault

Currently trying to update the Duo config for our auth backend. I'm unsure about how to modify the username before passing it along to Duo. The documentation at https://www.vaultproject.io/docs/auth/mfa.html shows that I should be able to modify the Duo config as:

$ vault write auth/userpass/duo/config username_format="%[email protected]"
Success! Data written to: auth/userpass/duo/config

$ vault read auth/userpass/duo/config
Key             Value
---             -----
username_format %[email protected]

However, when trying to log in, it fails to authenticate with Duo. Our Duo users list contains "[email protected]", but Vault can't authenticate with John.

$ vault auth -method=userpass username=john

Password (will be hidden):
Error making API request.

URL: PUT https://vault.example.com/v1/auth/userpass/login/john
Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

image

Creating a Duo user named john solves the problem, but leads me to believe that Vault is passing along the username without the username_format.

Has anybody run into this issue recently, where the username_format doesn't seem to be used? Looking for any guidance or help, much appreciated.

EDIT: Making a note here that the username_format replacement works, but only if there isn't an @ symbol. Possibly a problem when the API tries to pass along an @ symbol?

$ vault read auth/userpass/duo/config
Key             Value
---             -----
username_format %sn

$ vault write auth/userpass/users/joh password=password
Success! Data written to: auth/userpass/users/joh

$ vault auth -method=userpass username=joh
Password (will be hidden):
Successfully authenticated! You are now logged in.

So, username_format is correctly adding n to username joh. Where Duo user john exists.

With Duo user [email protected], the situation doesn't work.

$ vault read auth/userpass/duo/config
Key             Value
---             -----
username_format %[email protected]

$ vault write auth/userpass/users/joh password=password
Success! Data written to: auth/userpass/users/joh

$ vault auth -method=userpass username=joh
Password (will be hidden):
Error making API request.

URL: PUT https://vault.betterment.qa/v1/auth/userpass/login/joh
Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.
picture brokenthumbs
👍2

Most helpful comment

Solved! Problem existed on my Duo application configuration.

For anybody who runs into a similar issue, make sure that your Duo application has the Username Normalization set to None. By using Simple, the @ symbol is not interpreted correctly.

image

picture brokenthumbs on 15 Feb 2017
2 👍1

>All comments

Solved! Problem existed on my Duo application configuration.

For anybody who runs into a similar issue, make sure that your Duo application has the Username Normalization set to None. By using Simple, the @ symbol is not interpreted correctly.

image

brokenthumbs picture brokenthumbs on 15 Feb 2017
2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gtmtech picture gtmtech  路  3Comments
Wonder007 picture Wonder007  路  3Comments
dwdraju picture dwdraju  路  3Comments
narayan8291 picture narayan8291  路  3Comments
weisinc picture weisinc  路  3Comments