Duo Two-Step Login on the VPN


Overview


Follow the steps below to use the Duo two-step login with the campus VPN. General information about installing and configuring the UCSD VPN can be found on Virtual Private Networks (VPN) at UCSD.

Two-step login with the VPN requires either:

Some applications, such as the UCSD VPN, do not support a web interface to select the type of two-step login method or device you would like to use. For these types of applications, Duo Security's "append mode" is used which lets you specify the type of two-step login you would like to use with just a little bit of extra typing. 

More information about Duo's append mode can be found on Duo's Append Mode Guide.

Critical Concepts


Two-Step VPN Groups


You'll see various VPN groups when attempting to establish a connection. Faculty, staff, and students who are required to use two-step login to connect must use a group labeled "2-Step Secured." Otherwise, an error message will appear and the connection won't go through.

Steps to Take


  1. Open your VPN client and enter the following address: vpn.ucsd.edu
  2. Click Connect.
  3. Select a 2-Step Secured group.  Here are the common groups used:
    • 2-Step Secured - allthruucsd
      • Allthru means all of your web activity will route through the VPN (for example, performing a Google search then visiting FinancialLink). 
    • 2-Step Secured - split
      • Split means only your visits to UC San Diego sites will route through the VPN (for example, your visit to FinancialLink goes through VPN but your Google search doesn't).
  4. Enter your Active Directory username and password as usual, then be prepared to immediately complete the second step. 
  5. Duo two-step will automatically send two-step verification prompt to your devices in this order:
    • Duo push notification will be sent to the first device with Duo Mobile activated on your list of registered devices
    • If you do not have a device with the Duo Mobile app, you will need to follow the steps below on how to log into the VPN using the passcode method. 
    • Want to use a passcode or alternative method for two-step verification?  See the steps below for details.

Using a Passcode

  1. Open your VPN client like normal, choose vpn.ucsd.edu and click Connect.
  2. Select a 2-Step Secured group.  Here are the common groups used:
    • 2-Step Secured - allthruucsd
      • Allthru means all of your web activity will route through the VPN (for example, performing a Google search then visiting FinancialLink). 
    • 2-Step Secured - split
      • Split means only your visits to UC San Diego sites will route through the VPN (for example, your visit to FinancialLink goes through VPN but your Google search doesn't).
  3. Enter your Active Directory username and password as usual.  Don't click OK just yet! 
  4. Immediately after your password - no spaces - type a comma followed by the passcode.  Here is the format to follow: password,code
    • For example, if you password is 11g0@lscorer and your passcode is 562737 you would enter the following in the Password field: 11g0@lscorer,562737

Screenshot: VPN connection settings for 2-step

Using an Alternative Method

You can use a variation of the Passcode steps (listed above) if you want to use a different two-step method than the default method. For example, use these steps if you normally get a push notification but would like to receive a text message with passcodes instead:  

  1. Connect to the anyConnect client using the instructions above. 
  2. Enter your Active Directory username and password as usual.  Don't click OK just yet! 
  3. Immediately after your password - no spaces - type a comma followed by one of the corresponding words (see image below for an example): 
    • push  - Receive push notification (if Duo installed on phone & device registered) by entering: password,push
    • sms  -  Receive a batch of 10 passcodes via text (your first log in attempt will fail; perform a second login attempt following the Using a Passcode steps above): password,sms

If you have multiple devices registered - for example, a mobile phone and a backup tablet - you can select your backup device using a similar method as well. Please note that as of November 2022, phone call options will be removed from Duo and you will not be able to register devices for phone only, including landlines.

To select another device, simply add the number of the device to trigger it - for example push1, push2, push3.  The number of the phone will correspond to the order it is listed on the Duo Registration Portal (duo.ucsd.edu).  For example, if you had 3 devices listed, the phone at the top would be 1, the next phone directly below would be 2, and the last phone would be 3.

This is called the "append method" and more information is available on Duo's Knowledge Base.

Screenshot: VPN connection settings for 2-step

If you still have questions or need additional assistance, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.