MFA on Global User Account

npatterson how have you implemented MFA on the domain accounts using LDAP? Is this for web based logins?

Yes, I used Cisco DUO using authentication proxy with LDAPs.  This only works with domain accounts,s not global accounts thought.

this is for ftp and web based with no issues.

Could you show us a screenshot of how your global accounts are set up? I dont think there is an option for LDAP outside of a domain. What is the purpose of the Global Accounts you have setup?

Could you show us a screenshot of how your global accounts are set up? I dont think there is an option for LDAP outside of a domain. What is the purpose of the Global Accounts you have setup?

I have 2 global accounts for the administration of all domains.  I have 3 domains account set up for customers, internal employees, and testing.  

2 global admins have complex passwords and have alerts when logged in to my email.

Customer domains are setup to an LDAP server configured for customers we have

Employee domain are setup with duo LDAP for file sharing and SFTP access

The testing account is used for configuration changes I test before moving to production. 

Thanks for the info, have you created your global administrators at the Server level or Domain level. It is possible to have 'Global Administrators' within a domain rather than specifying them at the global level in Serv-U. Maybe this will help you use the same MFA method you have in place for domain users?

The problem I have is LDAP users can not have admin privileges. MFA only works on LDAP users currently.  Not on domain users as it authenticates via MFT not DUO.

Ahh I understand now. One option you could do as a workaround is to add IP Access rules on the domain users, then they cannot login even if the password was used.

Or, create a separate domain for admin users and only have a listener on a local LAN IP, and optionally add IP Access rules at the domain level.

Thanks for the idea I test this with the Test domain for the use case and let you know.