Zero Trust & Duo MFA Support FAQs

Issue: Unable to access the Duo SSO protected application.

Solution: There are several reasons why you might encounter an 'Access denied' error. One common reason is that your username is not member of an authorized Active Directory (AD) group configured for that application. Please contact the application support to determine the AD group and request that your username be added to it for access. Another possibility is that your username has been disabled in Duo identity provider.

To find out the reason and fix this issue, kindly open a support case with Help@Cisco support.

Issue: Account Disabled, Unable to access any SSO protected applications. For example, Outlook, VPN, Cisco Directory, Office365, Sharepoint pages etc.,

Solution: There are couple of possible states you could be in this scenerio that prevents you from being able to authenticate.

[A] If you make 6 consecutive failed MFA authentication attempts then Duo will lockout for sometime. During this time if you access the application you can see this error message. Please try again later. If you are still unable to login, then open a support ticket for further investigation of the incident at here.

[B] When your account is disabled in Microsoft Azure AD, you won't be able to log on and access to the application will be denied. To verify this you'll need to check with the Directory Services support.

Issue: Cisco zero trust policy does not allow access from the device you are trying to access that application!

Solution: The application you are attempting to access will be Zero Trust enabled. In order to access, you must need a Cisco trusted device. Please ensure that your devices are Cisco managed. The instructions for managing your devices are provided below.

Get your Mac device trusted

Get your Windows PC trusted

Get your mobile device trusted

If none of the instructions worked, open a support case through HelpZone

Issue: Firewall not turned ON error while accessing any Duo SSO protected application.

Solution: The endpoint device health check is enabled for the application you are trying to access. Please make sure the firewall is enabled.

If you're on MacOS, Go to Settings >> Network >> Click the toggle to turn on the firewall.

If you're using Windows, click on 'Open Duo Desktop' button from the error page and follow the instructions described in Duo Device Health application pop-up.

Issue: Multi-Factor Authentication from Samsung mobile phones sometimes doesn't let you login.

Solution: Password, PIN, or pattern authentication must be enabled in order for Android devices to be considered as encrypted by Duo. For more information on the resolution please check out this documentation on enabling the Secure Startup for Samsung devices.

If you still need support advise, please open a ticket here.

Issue: I am unable to login to the Duo SSO protected application. I receive an error message stating that a screen lock is required during login.

Solution: This is usually caused by the device not having password, PIN, or pattern authentication enabled at startup.

Please review the settings of your phone and enable the screen lock on your device to fix this issue.

Issue: I encounter an error during the authentication process. I provide my email address and password, but immediately after, I receive this error.

Solution: If you see the message "Something went wrong" during the multi-factor authentication process, it means that the browser is unable to communicate with the Duo device health application installed on your desktop/laptop. Try opening the Duo device health app and logging in again.

If you still unable to login then please open a support ticket here.

Issue: The Duo desktop application will display an error message indicating that the browser communication certificate is missing. This error will prevent you from logging in to any Cisco SSO protected application.

Solution: If your device's certificate keychain does not have a trusted 127.0.0.1 certificate (loopback) or if you have a duplicate loopback certificate, you may encounter this issue. To resolve this error, please contact MFA support by opening a ticket here.

You may be asked by IT support to reboot your laptop/device couple of times to fix this issue.

Issue: I am unable to access the Duo SSO protected application because Duo has detected that my device is not fully encrypted.

Solution: Mobile device encryption helps keep the data on your device secure. Duo considers your device encrypted when you enable password, PIN, or pattern authentication at startup. Without this setting, your device encryption is less secure, and you might not be able to access Duo-protected services or applications.

To enable encryption on your Android Device:
[1] Navigate to Settings → Security → Screen Lock.

[2] Enable password, PIN, or pattern to be required upon device startup.

[3] If you have a Samsung Device, you will additionally need to enable "Secure startup" or "Strong Protection" from your device's settings and require a PIN at device startup.

[4] Close and reopen Duo Mobile.

If you still unable to login then please open a support ticket here.

Issue: Your android / iOS mobile device is tampered or jailbroken.

Solution: Cisco's zero trust policies prohibit access to SSO protected applications from tampered or rooted/jailbroken devices due to security risks. If you encounter these issues, you can configure Duo push from a non-jailbroken/tampered device. Alternatively, you can also set up passwordless factor authentication on your device using TouchID / Windows Hello.

To know more about the passwordless authentication visit here.

If you have a YubiKey, you can use it as an alternative to Duo push on a jailbroken or tampered device. To configure YubiKey 2FA please visit here.

Issue: You encounter an error with the 'Install Duo Desktop' app when logging in from applications that use an embedded browser, such as VPN, Webex Teamspace, O365 Outlook, etc.

Solution: There are couple of reasons you have encountered this error.

[A] You don't have the Duo desktop application installed on your device. Click on the "Download Duo Desktop" button to install it. If you think it's already installed, then click on the 'Open the app' link from the error page. This will forcefully invoke the Duo desktop application to open.

[B] The browser communication is blocked for the Duo desktop application. Please collect the debug logs and provide this information to the support advisor by following these steps here.

If you still unable to login then please open a support ticket here.

Issue: No password set error while accessing Duo SSO protected application.

Solution: The endpoint ZT device health check is enabled for the application you are trying to access. Please ensure that the system password is set. To resolve this issue, follow the steps below:

On Windows,
1. Open the Control Panel and search for "Advanced sharing settings".
2. Click on "Manage advanced sharing settings".
3. Make sure that the Password Protected Sharing option is set to ON.
4. File sharing connections should be set to 128-bit.
5. Sign out and sign back in.

On Mac, follow the onscreen instructions.

If you still need assistance, open a support case with Help@Cisco support.

Issue: I am able to perform the first factor authentication, but during the second factor authentication, a push request is sent to my mobile. However, my mobile never receives it and eventually times out.

Solution: Duo push request is valid for 60 seconds. If you do not approve or deny the request that was sent to your mobile device then the request will be timed out. In most of the cases the browser send the push authentication request to your device but your device never receive it.

Follow the insturctions/troubleshooting steps mentioned in this article for Android or iOS.

If you still need support assistance, please open a case here.

Issue: When the Cisco IT provide you a bypass code and the code isn't working as expected you get these errors

Solution:
You are being prompted to enter a bypass code if none of the accepted options registered in your Duo profile are working as expected.

You will need a temporary bypass code in order to log in and access the following documentation:

1. Ordering a YubiKey: YubiKey Basics

2. CEC article #1 on YubiKeys: Remember Bob? He Finally Got a YubiKey. You Should Too.

3. CEC article #2 on YubiKeys: cccccckdcnteghinutirdsdfdgdf

Please contact IT support to obtain the "new bypass code" when you get this error.

Issue: You are attempting to access a Duo SSO protected application, but after the first factor authentication, you encounter a Duo error stating 'Not enrolled in Duo'.

Solution: All workforce users, including generic users, must configure and use two-factor authentication (2FA) to access any Cisco IT applications. If the user ID you are trying to log in with is not enrolled, you will receive an error.

To learn how to enroll for a generic user, click here.

To learn how to enroll for a Cisco workforce user, click here.

If you still need support assistance, please open a case here.

Issue: Something unexpected happened. An error appears in the Duo mobile application. I am unable to receive Duo Push notifications.

Solution: This error typically indicates an issue with your Duo Mobile App. It may occur on possibly due to a technical glitch or connectivity problem. If you encounter this message then try restarting the app, check the internet connection, switch wifi, and ensuring that the device's operating system and the Duo Mobile app are up to date.

If the issue persists, for further troubleshooting or contact support.

MFA support Webex teamspace : Join this space and ask your questions.

AI support bot : Zero Trust and Duo MFA support bot.

Contact for MFA support ticket : Multi-Factor Authentication - Duo MFA.

Contact for Zero Trust support ticket : Zero Trust.

Email : duomfa@cisco / disco@cisco.com / zerotrust@cisco.com

Dial in for support : please visit the Contact Numbers. page (requires Cisco login access).

The Duo Push/Duo Mobile app used to work but is no longer working. I am not receiving Push Notifications.
Please make sure your mobile device is connected to the internet.
Ensure your Duo Mobile app has your Cisco account linked.
If you do not receive a notification, try opening the Duo Mobile app to check for a notification.
If none of the options works, then contact the Cisco IT support.

The Duo MFA prompt is only giving me the option to enter a bypass code. I do not have a bypass code.
You are being prompted to enter a bypass code if none of the accepted options are registered in your Duo profile. You will need a temporary bypass code from Cisco IT to access the applications or configure the MFA.