Duo Two-Step Login on the VPN


Overview


Follow the steps below to use the Duo two-step login with the campus VPN. General information about installing and configuring the UCSD VPN can be found on Virtual Private Networks (VPN) at UCSD.

Two-step login with the VPN requires either:

Some applications, such as the UCSD VPN, do not support a web interface to select the type of two-step login method or device you would like to use. For these types of applications, Duo Security's "append mode" is used which lets you specify the type of two-step login you would like to use with just a little bit of extra typing. 

More information about Duo's append mode can be found on Duo's Append Mode Guide.

 

Critical Concepts


Two-Step VPN Groups

You'll see the following VPN groups listed below when attempting to establish a connection. Faculty, staff, and students who are required to use two-step login to connect must use a group labled "2-Step Secured." Otherwise, an error message will appear and the connection won't go through. Those who aren't required to use two-step login can use any group; however, "2-Step Secured" groups require use of two-step login.  

Groups

Steps to Take


  1. Open your VPN client and enter the following address: vpn.ucsd.edu
  2. Click Connect.
  3. Select a 2-Step Secured group.  Here are the common groups used:
    • 2-Step Secured - allthruucsd
      • Allthru means all of your web activity will route through the VPN (for example, performing a Google search then visiting FinancialLink). 
    • 2-Step Secured - split
      • Split means only your visits to UC San Diego sites will route through the VPN (for example, your visit to FinancialLink goes through VPN but your Google search doesn't).
  4. Enter your Active Directory username and password as usual, then be prepared to immediately complete the second step. 
  5. Duo two-step will automatically send two-step verification prompt to your devices in this order:
    • Duo push notification will be sent to the first device with Duo Mobile activated on your list of registered devices
    • If you do not have a device with Duo Mobile app, a phone call will be sent to the first phone on your list of registered devices.
    • Want to use a passcode or alternative method for two-step verification?  See the steps below for details.

Using a Passcode

  1. Open your VPN client like normal, choose vpn.ucsd.edu and click Connect.
  2. Select a 2-Step Secured group.  Here are the common groups used:
    • 2-Step Secured - allthruucsd
      • Allthru means all of your web activity will route through the VPN (for example, performing a Google search then visiting FinancialLink). 
    • 2-Step Secured - split
      • Split means only your visits to UC San Diego sites will route through the VPN (for example, your visit to FinancialLink goes through VPN but your Google search doesn't).
  3. Enter your Active Directory username and password as usual.  Don't click OK just yet! 
  4. Immediately after your password - no spaces - type a comma followed by the passcode.  Here is the format to follow: password,code
    • For example, if you password is 11g0@lscorer and your passcode is 562737 you would enter the following in the Password field: 11g0@lscorer,562737

Screenshot: VPN connection settings for 2-step

Using an Alternative Method

You can use a variation of the Passcode steps (listed above) if you want to use a different two-step method than the default method. For example, use these steps if you normally get a push notification but would like to receive a call instead.  

  1. Open your VPN client and enter the following address: vpn.ucsd.edu
  2. Click Connect.
  3. Select a 2-Step Secured group.  Here are the common groups used:
    • 2-Step Secured - allthruucsd
      • Allthru means all of your web activity will route through the VPN (for example, performing a Google search then visiting FinancialLink). 
    • 2-Step Secured - split
      • Split means only your visits to UC San Diego sites will route through the VPN (for example, your visit to FinancialLink goes through VPN but your Google search doesn't).
  4. Enter your Active Directory username and password as usual.  Don't click OK just yet! 
  5. Immediately after your password - no spaces - type a comma followed by one of the corresponding words (see image below for an example): 
    • push  - Receive push notification (if Duo installed on phone & device registered) by entering: password,push
    • phone  -  Receive call by entering: password,phone
    • sms  -  Receive a batch of 10 passcodes via text (your first log in attempt will fail; perform a second login attempt following the Using a Passcode steps above): password,sms

If you have multiple devices registered - for example, a mobile phone and a backup office phone - you can select your backup device using a similar method as well.  To select another device, simply add the number of the device to trigger it - for example phone1, phone2, phone3 to call these phones.  You can also add the number of the phone to the other commands, for example push1, push2, push3.  The number of the phone will correspond to the order it is listed on the Duo Registration Portal (duo-registration.ucsd.edu).  For example, if you had 3 devices listed, the phone at the top would be 1, the next phone directly below would be 2, and the last phone would be 3.   

This is called the "append method" and more information is available on Duo's Knowledge Base.

Screenshot: VPN connection settings for 2-step

If you still have questions or need additional assistance, please submit a ticket or call the ITS Service Desk at (858) 246-4357