cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
3
Replies

Duo usage with Meraki Firewall and Cisco Secure Client

RobustCisco
Level 1
Level 1

 Would it be possible to configure a Multi-Factor Authentication (MFA with DUO) with Always ON VPN (Any Connect) using a certificate encrypted via TPM? Also this authentication should happen in the background without having duo sending tokens to the devices for further authenticating by giving the token codes

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

Disclaimer: I don't know a lot about Meraki Firewall authentication; I'm a Duo person.

When someone connects the VPN with a certificate in your config today, is that the only authentication required, or do your users have to enter some credential info as well? If your Meraki firewall does not support chaining authentication sources (auth to A, then auth to B if A succeeds), then Duo 2FA and certificate auth may be mutually exclusive. I have only ever looked at a Meraki MX before, years ago, and to my recollection it did not support chained authentication.

If you can somehow chain cert auth so that it's followed by a Duo RADIUS (like https://duo.com/docs/meraki-radius) or LDAP authentication server, it will not be silent and will need the user to interact and satisfy a Duo MFA request upon connect/reconnect.

We also have a Duo SSO SAML app for MX https://duo.com/docs/sso-meraki-secure-client, but I think that using SAML is an either/or config as well.

Meraki support might be the better contact to confirm if your device supports certificate auth followed by external RADIUS or SAML authentication, or maybe someone else in the user community here knows for sure.

Duo, not DUO.

RobustCisco
Level 1
Level 1

Hi Kristina, what level of Duo will I be needing for this usecase. The customer is also preferring to use Passwordless Duo with Duo Keys. 

RADIUS integrations are available in all plans, including Duo free.

Duo Passwordless is only an option for Duo SSO SAML or OIDC applications. Duo SSO is available in all paid plans. When using a Duo SSO federation configuration with some thick client instead of a browser (like a VPN client), that client must be able to show the passive web login for SSO using the OS system browser for webauthn methods to work.

https://duo.com/editions-and-pricing compare plans

If you go to https://duo.com/docs there is a separate overview page for each paid plan.

Duo, not DUO.
Quick Links