Zero Trust & Duo MFA Support FAQs
Issue: Prompted with No Login Options when signing in to an application or website.
Solution: The application or site you're trying to access requires a Duo Passwordless login method for authentication. Click on Manage Devices to add a Passwordless login option using Windows Hello, TouchID for Mac, a Yubikey with PIN, or a mobile passkey. See Duo Passwordless Setup for more information.
Issue: On Windows, when trying to configure a new Duo login for Windows Hello you get an error from Windows Security that there was a problem saving your passkey.
Solution: This can happen if there is an issue with the Windows Hello configuration. Please verify that Windows Hello is properly set up and try the Duo setup again. See Duo Passwordless Setup for details.
Issue: Unable to access the Duo SSO protected application.
Solution:
There are several reasons why you might encounter an 'Access denied' error. One common reason is that your username is not member of an authorized Active Directory (AD) group configured for that application. Please contact the application support to determine the AD group and request that your username be added to it for access. Another possibility is that your username has been disabled in Duo identity provider.
To find out the reason and fix this issue, reach out to Help@Cisco for support.
Issue: Account Disabled, Unable to access any SSO protected applications. For example, Outlook, VPN, Cisco Directory, Office365, Sharepoint pages etc.,
Solution:
There are couple of possible states you could be in this scenerio that prevents you from being able to authenticate.
[A] After 6 consecutive failed login attempts using multi-factor authentication (MFA), Duo SSO will temporarily lock your account. During this lockout period, you'll see this error message if you try to access the application. Please wait a short while and try logging in again. If you continue to have problems, please reach out to support for assistance here.
[B] If your Cisco AD account is disabled, you'll be unable to log in and access Duo SSO protected applications. To confirm your account status and restore access, please contact Directory Services support.
Issue: Cisco zero trust policy does not allow access from the device you are trying to access that application!
Solution: The application you are attempting to access will be Zero Trust enabled. In order to access, you must need a Cisco trusted device. Please ensure that your devices are Cisco managed. The instructions for managing your devices are provided below.
Get your Mac device trusted
Get your Windows PC trusted
Get your mobile device trusted
Issue: Firewall not turned ON error while accessing any Duo SSO protected application.
Solution: The endpoint device health check is enabled for the application you are trying to access. Please make sure the firewall is enabled.
If you're on MacOS, Go to Settings >> Network >> Click the toggle to turn on the firewall.
If you're using Windows, click on 'Open Duo Desktop' button from the error page and follow the instructions described in Duo Device Health application pop-up.
Issue: Multi-Factor Authentication from Samsung mobile phones sometimes doesn't let you login.
Solution: Password, PIN, or pattern authentication must be enabled in order for Android devices to be considered as encrypted by Duo. For more information on the resolution please check out this documentation on enabling the Secure Startup for Samsung devices.
Issue: I am unable to login to the Duo SSO protected application. I receive an error message stating that a screen lock is required during login.
Solution: This is usually caused by the device not having password, PIN, or pattern authentication enabled at startup.
Please review the settings of your phone and enable the screen lock on your device to fix this issue.
Issue: I encounter an error during the authentication process. I provide my email address and password, but immediately after, I receive this error.
Solution: If you see the message "Something went wrong" during the multi-factor authentication process, it means that the browser is unable to communicate with the Duo device health application installed on your desktop/laptop. Try opening the Duo device health app and logging in again.
Issue: The Duo desktop application will display an error message indicating that the browser communication certificate is missing. This error will prevent you from logging in to any Cisco SSO protected application.
Solution: If your device's certificate keychain does not have a trusted 127.0.0.1 certificate (loopback) (or) if you have a duplicate loopback certificate, you may encounter this issue. To resolve this error, please reach out to support here.
You may be asked by IT support to reboot your laptop/device couple of times to fix this issue.
Issue: I am unable to access the Duo SSO protected application because Duo has detected that my device is not fully encrypted.
Solution: Mobile device encryption helps keep the data on your device secure. Duo considers your device encrypted when you enable password, PIN, or pattern authentication at startup. Without this setting, your device encryption is less secure, and you might not be able to access Duo-protected services or applications.
To enable encryption on your Android Device:
1. Navigate to Settings > Security > Screen Lock.
2. Enable password, PIN, or pattern to be required upon device startup.
3. If you have a Samsung Device, you will additionally need to enable "Secure startup" or "Strong Protection" from your device's settings and require a PIN at device startup.
4. Close and reopen Duo Mobile.
Issue: Your android / iOS mobile device is tampered or jailbroken.
Solution: Cisco's zero trust policies prohibit access to SSO protected applications from tampered or rooted/jailbroken devices due to security risks. If you encounter these issues, you can configure Duo push from a non-jailbroken/tampered device. Alternatively, you can also set up passwordless factor authentication on your device using TouchID / Windows Hello.
Learn more about passwordless authentication.
If you have a YubiKey, you can use it as a 2FA alternative to Duo push on a jailbroken or tampered device.
Issue: You encounter an error with the 'Install Duo Desktop' app when logging in from applications that use an embedded browser, such as VPN, Webex Teamspace, O365 Outlook, etc.
Solution: There are couple of reasons you have encountered this error.
[A] You don't have the Duo desktop application installed on your device. Click on the "Download Duo Desktop" button to install it. If you think it's already installed, then click on the 'Open the app' link from the error page. This will forcefully invoke the Duo desktop application to open.
[B] The browser communication is blocked for the Duo desktop application. Please collect the debug logs and provide this information to the support advisor by following these steps.
Issue: No password set error while accessing Duo SSO protected application.
Solution: The endpoint ZT device health check is enabled for the application you are trying to access. Please ensure that the system password is set. To resolve this issue, follow the steps below:
On Windows,
1. Open the Control Panel and search for "Advanced sharing settings".
2. Click on "Manage advanced sharing settings".
3. Make sure that the Password Protected Sharing option is set to ON.
4. File sharing connections should be set to 128-bit.
5. Sign out and sign back in.
On Mac, follow the onscreen instructions.
Issue: I am able to perform the first factor authentication, but during the second factor authentication, a push request is sent to my mobile. However, my mobile never receives it and eventually times out.
Solution: Duo push request is valid for 60 seconds. If you do not approve or deny the request that was sent to your mobile device then the request will be timed out. In most of the cases the browser send the push authentication request to your device but your device never receive it.
Follow the insturctions/troubleshooting steps mentioned in this article for Android or iOS.
Issue: When the Cisco IT provide you a bypass code and the code isn't working as expected you get these errors
Solution:
You are being prompted to enter a bypass code if none of the accepted options registered in your Duo profile are working as expected.
You will need a temporary bypass code in order to log in and access the following documentation:
1. Ordering a YubiKey: YubiKey Basics
2. Cisco Bridge article #1 on YubiKeys: Remember Bob? He Finally Got a YubiKey. You Should Too.
3. Cisco Bridge article #2 on YubiKeys: cccccckdcnteghinutirdsdfdgdf
Please contact IT support to obtain the "new bypass code" when you get this error.
Issue: You are attempting to access a Duo SSO protected application, but after the first factor authentication, you encounter a Duo error stating 'Not enrolled in Duo'.
Solution: All workforce users, including generic users, must configure and use two-factor authentication (2FA) to access any Cisco IT applications. If the user ID you are trying to log in with is not enrolled, you will receive an error.
To learn how to enroll for a generic user, click
here.
To learn how to enroll for a Cisco workforce user, click here.
If you still need support assistance reach out to support here.
Issue: Something unexpected happened. An error appears in the Duo mobile application. I am unable to receive Duo Push notifications.
Solution: This error typically indicates an issue with your Duo Mobile App. It may occur on possibly due to a technical issue or connectivity problem. If you encounter this message then try restarting the app, check the internet connection, switch wifi, and ensuring that the device's operating system and the Duo Mobile app are up to date.
If the issue persists, for further troubleshooting or contact support.
The Duo Push/Duo Mobile app used to work but is no longer working. I am not receiving Push Notifications.
Please make sure your mobile device is connected to the internet.
Ensure your Duo Mobile app has your Cisco account linked.
If you do not receive a notification, try opening the Duo Mobile app to check for a notification.
If none of the options works, then contact the Cisco IT support.
The Duo MFA prompt is only giving me the option to enter a bypass code. I do not have a bypass code.
You are being prompted to enter a bypass code if none of the accepted options are registered in your Duo profile. You will need a temporary bypass code from Cisco IT to access the applications or configure the MFA.
Duo MFA passwordless support Webex space: Join this space and ask your questions.
AI support bot : Zero Trust and Duo MFA support bot.
Call for support / Chat through helpzone for Multi-Factor Authentication - Duo MFA or Zero Trust.
Email support : duomfa@cisco.com / disco@cisco.com / zerotrust@cisco.com
Dial in for support : Please visit the contact numbers page (requires Cisco login access).