topic Re: Removing second password option from AnyConnect in Network Security

Removing second password option from AnyConnect

Asfandyar70754 — Mon, 20 Dec 2021 07:02:57 GMT

Hey guys,

I have configured AnyConnect VPN on my ASA to use Cisco DUO 2fa,

Cisco ASA SSL VPN for Browser and AnyConnect.

It is working alright, I am getting the push and am able to use VPN. While connect VPN I have a send password field and I have to enter push, callback, sms. in order to get a push or sms.

I wanted to know if it is possible to remove the second password field and get a push for all users.

Re: Removing second password option from AnyConnect

Marvin Rhoads — Mon, 20 Dec 2021 07:17:22 GMT

You most likely get the second password field due to having chosen your group policy with primary and secondary authentication. If you use a Duo proxy or access gateway as your primary authentication (and only one configured in the ASA's group policy) it can take care of 1) the primary authentication (to AD or whatever you use) and 2) the secondary authentication to Duo cloud for your MFA. Users will then get the push automatically.

Re: Removing second password option from AnyConnect

Asfandyar70754 — Mon, 20 Dec 2021 08:50:25 GMT

Hello Marvin,

We have followed this Duo doc https://duo.com/docs/ciscoasa-ldap.

As you can see there is no Duo Auth proxy file/vm in this solution.

Would really appreciate if you can go through the doc and check if it is possible to remove the second password and get a Push automatically.

According to my understanding Duo auth proxy is a bit intelligent so we can define what method of second authentication we want to use e.t.c.

Re: Removing second password option from AnyConnect

Marvin Rhoads — Mon, 20 Dec 2021 12:21:52 GMT

As is linked in the doc you referenced, there are at least four methods to integrate ASA VPN with Duo:

https://duo.com/docs/cisco

You have chosen the 4th method which is the only one that requires the second password prompt. Any of the other three do not.