Teams + Duo integration: Restrict by 'network(ip ranges)' not supported by 1Password

DariusR
DariusR
Community Member
edited May 2018 in Business and Teams

Hello,

We are using 1Password Teams with a Duo Security 'Duo Access' level account.
Largely to expose the Policy based access control features.
The features outlined here do not work with 1Password Teams: https://duo.com/docs/policy#networks-policy-settings

If for example I create a policy to "Allow access without 2FA from this network", using our static IP, check the 'Require enrollment from this network", and then check the "Deny access from all other networks" feature, the ability to login is completely broken.

The resulting log entry is a 'blocked' login attempt from an 'unknown app' from IP 0.0.0.0

The 'unknown app' in this case is 1Password6 for Windows, and the IP should be getting listed as the static WAN IP we are attempting access from.

If I uncheck the "deny access from all other networks" feature, then suddenly the authentication is able to pass and the app and IP are correctly identified.

Is there any chance of getting this feature working?

Thank you,
Darius


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Is there any chance of getting this feature working?

    Yes. I've been meaning to test it here as I've been curious to see if it works or not. Thanks for saving me a bit of time. Does it work when you're using 1Password for Web? I suspect that we're not sending up the IP address to Duo when you're doing Duo from Windows or the command line tool, but I would expect their WebSDK to do all of that work for us.

    I've filed issue 4335 in our tracker so that we can take a look at this.

    Rick

  • DariusR
    DariusR
    Community Member

    @rickfillion It sounds like thats probably it.

    I'll test the behaviour today with a restricted user to see what happens.

    If screenshots from Duo showing the 'block' errors would help, we could move this to email.

    Darius

  • It can't hurt. Send them to rick@agilebits.com.

    Thanks

    Rick

  • DariusR
    DariusR
    Community Member

    Just wanted to update this to say that it appears to all be working now.

    Thank you Rick!

  • That's great to hear. Thanks for the update!

    Rick

This discussion has been closed.