Solved: Re: FTD-AnyconnectLDAP-DUO

mdzaf · ‎07-07-2025

Hi,

I have Anyconnect on Cisco FTD. It is integrated with Microsoft AD via LDAP and i do LDAP attribute mapping based on AD group and FTD policy so different user have different privileges. I need to setup to this user 2FA with DUO so i installed DuoProxy. Now my SSL vpn configuration(AAA server) point to AD.

How can i point now this to DuoProxy server, so that DuoProxy can validate username and pass in AD, and than sent push notification to the user as 2FA. I modified auth.cnfg on DuoProxy to integrate with AD, but i am not sure how to integrate FTD and DuoProxy so that DuoProxy can also pass ldap attribute to Cisco FTD. Any recommendation?

Thank you

Jonatan Jonasson · ‎07-07-2025

With the Duo proxy configured, you need to configure the FTD to use the Duo Proxy as the LDAP server.
(FTD connects to Duo Proxy via LDAP, Duo Proxy connects to AD via LDAP or natively, after successful primary authentication DUO secondary factor comes in, and results are sent to the FTD.)
Once the authentication has passed, the FTD should receive the LDAP search/query results through the Duo Proxy.

You may need to set allow_searches_after_bind to True in the Duo Authentication Proxy config.

See the Duo Authentication Proxy reference:
https://duo.com/docs/authproxy-reference#ldap-auto

---
Please mark helpful answers & solutions
---

View solution in original post

Jonatan Jonasson · ‎07-07-2025

With the Duo proxy configured, you need to configure the FTD to use the Duo Proxy as the LDAP server.
(FTD connects to Duo Proxy via LDAP, Duo Proxy connects to AD via LDAP or natively, after successful primary authentication DUO secondary factor comes in, and results are sent to the FTD.)
Once the authentication has passed, the FTD should receive the LDAP search/query results through the Duo Proxy.

You may need to set allow_searches_after_bind to True in the Duo Authentication Proxy config.

See the Duo Authentication Proxy reference:
https://duo.com/docs/authproxy-reference#ldap-auto

---
Please mark helpful answers & solutions
---

mdzaf · ‎07-07-2025

Hi Jonatan,

Thank you for help. Before i apply i just want to check couple of things. I attach authproxy.cnfg file where i configure in first section connection with AD, second section as your recommendation LDAP auto, and third section Cloud connectivity for syncing users. After this i gues in the Realm instead of IP address of my Active Directory i need to put ip of DuoProxy ?

Ken Stieers · ‎07-07-2025

Yes, you use the ip of your auth proxy for your Realm.
A couple of other things:

1. Add this to the top... and when things are acting weird you can set debug = true and restart to get some more logging...

[main]

debug = false

log_auth_events = true

1. In your AD_Client section, you may want to add "host_2= anotherdomaincontroller".

mdzaf · ‎07-07-2025

Hi,

Thank you for your answer. I add this also in authproxy config file. I tried to add this in realm as directory, but when i test some user communication it doesnt pass test. A tried from CLI test aaa ... and i get message "ERROR: Authentication Rejected: Invalid password" even i use the same user for AD Directory and test is successfull. Do you have maybe advice?

Edit: When i exempt_ou and write DN of that user, authentification is successfull. Than i conclude that application on cisco duo block users. I put on 2fa and it started working. Thank you everyone

MHM Cisco World · ‎07-07-2025

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220672-configure-anyconnect-sso-with-duo-and-ld.html

MHM