VMware Cloud Community
SHamel5575
Enthusiast
Enthusiast

vcenter MFA options

Since Duo is deprecating TLS 1.0, 1.1 on June 30 (https://help.duo.com/s/article/7546?language=en_US) and the DUO ADFS plugin 2.x doesn't support ODIC, What is everyone using to provide MFA for vCenter Login?

Reply
0 Kudos
3 Replies
RajeevVCP4
Expert
Expert

Reply
0 Kudos
SHamel5575
Enthusiast
Enthusiast

Although both of those links are very informative neither of them answer my question.  

For more context we are already using ADFS integration with DUO, but that no longer works Because of DUO's change to their plugin and the enforcement of tls 1.2  

so im looking for alternative solutions 

Reply
0 Kudos
Tibmeister
Expert
Expert

Exact issue here, except upgrading the Duo Proxy to the latest code broke the OIDC, so what we ended up doing is turning on the LDAPS proxy on the Duo Proxy and pointed vCenter to that.

This link helped alot, https://www.virtualizationhowto.com/2021/12/easy-vcenter-server-two-factor-authentication-without-ad...and the one piece that bound me up was setting the exempt_ou_1 to the service account you are using for the vCenter lookups, otherwise it will try to MFA the lookups.

Nice thing about this is that once setup, if you wanted to append the 6-digit pin to the password (comma then PIN), that serves as the MFA and push doesn't need to happen, otherwise push happens.

Hope this helps.

Reply
0 Kudos