How to use the VPN with Duo MFA?


The University of Idaho VPN service requires using MultiFactor Authentication (MFA). This article covers how to use various Duo MFA authentication methods.


Default Duo Mobile Push Notification

By default, after entering a username and password to sign-in, a Duo mobile "push notification" will be sent to your primary device to approve the authentication. This method is recommended but it is possible to use the alternative methods described below using "append" mode.


Can I use a passcode or hardware token to connect to the VPN?

Yes, passcodes and hardware tokens are supported for VPN connections by using "Append Mode". To use Append Mode, enter your username into the VPN connection prompt as you would normally do, then enter your password followed by a comma (",") and then the passcode. If your password was G0Vandals and the passcode you wanted to use was 123456, this would become G0Vandals,123456. When you click "Connect", the VPN will complete the connection process without sending a Duo Push. Passcodes can be obtained from the Duo Mobile app, from SMS backup codes, from a hardware token or a bypass code provided by your TSP, System Administrator or the Student Technology Center.


Can I use a phone call with Duo and the VPN?

If you have not enabled Secure MFA, you can receive phone calls from Duo to complete your authentication when logging in to the VPN. If you have a landline phone or a mobile phone number (not the Duo app) enrolled, Duo automatically dials the phone number when you login. However, if you have the Duo mobile app on an enrolled mobile device, Duo sends a push notification to the mobile app by default. Duo only dials a phone number automatically if you do not have the Duo app enrolled in your account.

If you have enabled Secure MFA, you cannot use a phone call or SMS code to approve any login attempt.

If you have multiple phones or phone numbers enrolled, Duo will dial the first one by default. If you want to receive a call on a different phone number, you can specify which one using a method similar to "Append Mode". For example, to receive a phone call at the second phone you enrolled, enter your username into the VPN connection prompt as you would normally do, enter your password followed by a comma (",") and then "phone2" without quotes. You can specify the phone using phone1, phone2, phone3, etc, depending on how many phone numbers you have enrolled. The first or oldest phone number currently associated with your account is assigned phone1, the next oldest is phone2, and so on.


Append Mode Options

Type... To...
password Use the default Duo mobile push notification.
password,passcode Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.
Examples: "Strong-password,123456" or "Strong-Password1$3,1456789"
password,push Push a login request to your phone (if you have Duo Mobile installed and activated on your iOS or Android device). Just review the request and tap "Approve" to log in.
password,phone Authenticate via phone callback.
password,sms Get a new batch of SMS passcodes.
Your login attempt will fail — log in again with one of your new passcodes.



100% helpful - 2 reviews
Print Article


Article ID: 875
Wed 6/13/18 8:50 AM
Tue 5/14/24 1:22 PM

Related Articles (16)

Current VPN solution and its uses.
Information on DUO tokens
This tutorial goes over how to set up the UI Cisco Any Connect VPN onto a Linux machine.
This tutorial explains how to set up the UI VPN for a machine running OS X.
This tutorial explains how to set up VPN for an iOS device.
Setting up VPN for Android.
This is a tutorial for how to add and manage your Duo devices.
This article contains resources and information to enroll and implement multi-factor authentication at U of I.