Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3293
Views
0
Helpful
7
Replies

Cisco ASA and Duo Secondary Password Field

thambright
Level 1
Level 1

‎06-03-2019 11:46 AM

Is anyone aware of a way to pre-populate the Secondary Password field on the Cisco AnyConnect Client so that PUSH is not required to be typed in? The PUSH method is how this will be setup for all our users and we would like to make this a simple login process and then the user receives the DUO notification on their mobile device.

Labels:
0 Helpful
7 Replies 7

mkorovesisduo
Level 4
Level 4

‎06-03-2019 12:51 PM

It sounds like you are using our ASA LDAP configuration. If you utilize our ASA RADIUS configuration, then AnyConnect users will not see a second password field and will automatically receive a push or phone callback.

Note, however, that users cannot self-enroll with our RADIUS configuration. You can learn more about our ASA configuration options here.

0 Helpful

thambright
Level 1
Level 1

‎06-03-2019 03:10 PM

We are using Cisco ISE as our Radius Authentication and DUO as our Secondary Authentication for the push. Reason for this is we are able to utilize the AD directory groups and downloadable ACL’s for the clients.

0 Helpful

jeffsmith1
Level 1
Level 1

‎06-07-2019 02:28 PM

If you also have a SAML IDP you can use that and still point to ISE for Authorization. The End user experience will then be what you currently see in the browser.

Here is a doc with our Duo Access Gateway however if you use something like Azure AD or ADFS that will work as well.

0 Helpful

Victor
Level 1
Level 1

‎03-22-2021 02:25 AM

Hello to everyone.
I’m trying to configure ASA SSL vpn with minimum user interaction and always on. My first authentication is user certificate and second is DUO configured as radius server (using duo auth proxy VM) but I still get the prompt from Anyconnect for “push” field. Has anyone managed to achieve this without the password prompt?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Victor

‎03-22-2021 12:35 PM

@victor_p,

Which of the various radius_server_??? Authentication Proxy configurations did you choose?

Duo, not DUO.
0 Helpful

Victor
Level 1
Level 1
In response to DuoKristina

‎03-24-2021 01:50 AM

@DuoKristina
[duo_only_client]

[radius_server_duo_only]
ikey=notsharing
skey=notsharing
api_host=notsharing
radius_ip_1=notsharing
radius_secret_1=notsharing
failmode=secure
client=duo_only_client
port=1812

2X_1_11b04b9634867a03f7feec82684c7189d9c20f69.png

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Victor

‎03-24-2021 07:12 AM

OK, there are two takeaways from this for you:

  1. radius_server_duo_only does not do autopush or let you proceed without submitting a “password” to it in the form of a Duo factor name or passcode. radius_server_auto with duo_only_client would send an automatic push, buuuuut…

  2. Previous exploration of ASA with cert for primary and Duo showed that you can’t use any secondary authentication without having AAA enabled as an authentication method, and submitting a password. This was confirmed by Cisco TAC.

So with this config we could find no feasible way it would not require submitting a password value to start RADIUS AAA auth after certificate authentication success.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents