Calls  were received that people could not access the VPN due to issues with Duo.

During that time, people connecting to VPN would have experienced 5 DUO push notifications in rapid succession and an authentication timeout window of about 25 seconds. This is very similar to the problem that was observed Monday morning and occurred when an automatic process overwrote authentication timer configuration. Working with our vendor, we’ve applied a patch that will keep this configuration in place.

ITS was changing from Cisco ISE to Aruba ClearPass authentication. There was an issue with how ClearPass handled the Duo process since it requires user interaction.

Aruba Tac configured a permanent fix.
Now that the problem is resolved, people connecting to VPN will receive at most 2 DUO push notifications for each login attempt – one immediately and a second one 30 seconds later if the first is not acted on. The total authentication timeout window to complete user/password and DUO 2FA is now 50 seconds.

Aruba Tac configured a permanent fix.