cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3099
Views
0
Helpful
4
Replies

Anyconnect VPN and auto push

Peter_Matuska
Level 1
Level 1

Hi, the task is simple but I cant get it work. I want to use Duo with anyconnect. The requirements are:

  • password management has to be enabled
  • the third line for OTP has to be visible
  • push notification is the default but I don’t want users to type the word push in that 3rd line every time he logs in.
    I have a setup with ISE for primary authentication and Duo LDAP for secondary authentication.

is it something like this possible?

4 Replies 4

Antony GALLEZ
Level 1
Level 1

@Peter_Matuska,

I have the same setup except password management (disabled) & OTP (we only use push without any intervention from users). But, as explained here, if some of your users want to use OTP, they may add ,<passcode> after ther AD password.

For example:

username: bob
password: hunter2,123456

I set it up in the way below:

  1. FTD uses ISE as RADIUS server.
  2. In ISE, I use Duo AuthC proxies as External Radius Servers.
  3. Duo AuthC proxies uses our AD for backend authentication.

Regards,
Antony

Peter_Matuska
Level 1
Level 1

Hi Antony
if you type the OTP in the same line with the password then it is the different setup. I had it like this before but when I enabled password management, the OTP stopped working I believe because of MSCHAP. The requirement is to have 3rd line for OTP, they don’t want to have OTP within password line.thank you

Antony GALLEZ
Level 1
Level 1

Hi @Peter_Matuska,

You may have to follow this guide.

It is about ASA, ISE & Symantec VIP but I’m pretty sure you may adapt it to match your need.

HTH,
Antony

@Peter_Matuska

So in this case it isn’t Duo that is requiring input into the second password field.

You didn’t say but I am going to assume you are using an ASA.

When you set up separate primary and secondary authentication on the connection profile then the ASA won’t proceed without input in that second password field. At that point it has no idea that the secondary AAA server in the server group you picked is a Duo Authentication Proxy or some other LDAP server or something else entirely. It just knows you configured secondary auth so therefore it needs a password to send to the AAA server.

Duo, not DUO.
Quick Links