Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
0
Helpful
3
Replies

Duo usage with Meraki Firewall and Cisco Secure Client

RobustCisco
Level 1
Level 1

‎08-13-2024 08:20 AM

 Would it be possible to configure a Multi-Factor Authentication (MFA with DUO) with Always ON VPN (Any Connect) using a certificate encrypted via TPM? Also this authentication should happen in the background without having duo sending tokens to the devices for further authenticating by giving the token codes

0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎08-13-2024 01:59 PM

Disclaimer: I don't know a lot about Meraki Firewall authentication; I'm a Duo person.

When someone connects the VPN with a certificate in your config today, is that the only authentication required, or do your users have to enter some credential info as well? If your Meraki firewall does not support chaining authentication sources (auth to A, then auth to B if A succeeds), then Duo 2FA and certificate auth may be mutually exclusive. I have only ever looked at a Meraki MX before, years ago, and to my recollection it did not support chained authentication.

If you can somehow chain cert auth so that it's followed by a Duo RADIUS (like https://duo.com/docs/meraki-radius) or LDAP authentication server, it will not be silent and will need the user to interact and satisfy a Duo MFA request upon connect/reconnect.

We also have a Duo SSO SAML app for MX https://duo.com/docs/sso-meraki-secure-client, but I think that using SAML is an either/or config as well.

Meraki support might be the better contact to confirm if your device supports certificate auth followed by external RADIUS or SAML authentication, or maybe someone else in the user community here knows for sure.

Duo, not DUO.
0 Helpful

RobustCisco
Level 1
Level 1

‎08-27-2024 02:11 AM

Hi Kristina, what level of Duo will I be needing for this usecase. The customer is also preferring to use Passwordless Duo with Duo Keys. 

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to RobustCisco

‎08-27-2024 05:50 AM

RADIUS integrations are available in all plans, including Duo free.

Duo Passwordless is only an option for Duo SSO SAML or OIDC applications. Duo SSO is available in all paid plans. When using a Duo SSO federation configuration with some thick client instead of a browser (like a VPN client), that client must be able to show the passive web login for SSO using the OS system browser for webauthn methods to work.

https://duo.com/editions-and-pricing compare plans

If you go to https://duo.com/docs there is a separate overview page for each paid plan.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents