cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3243
Views
0
Helpful
7
Replies

Cisco ASA and Duo Secondary Password Field

thambright
Level 1
Level 1

Is anyone aware of a way to pre-populate the Secondary Password field on the Cisco AnyConnect Client so that PUSH is not required to be typed in? The PUSH method is how this will be setup for all our users and we would like to make this a simple login process and then the user receives the DUO notification on their mobile device.

7 Replies 7

mkorovesisduo
Level 4
Level 4

It sounds like you are using our ASA LDAP configuration. If you utilize our ASA RADIUS configuration, then AnyConnect users will not see a second password field and will automatically receive a push or phone callback.

Note, however, that users cannot self-enroll with our RADIUS configuration. You can learn more about our ASA configuration options here.

thambright
Level 1
Level 1

We are using Cisco ISE as our Radius Authentication and DUO as our Secondary Authentication for the push. Reason for this is we are able to utilize the AD directory groups and downloadable ACL’s for the clients.

jeffsmith1
Level 1
Level 1

If you also have a SAML IDP you can use that and still point to ISE for Authorization. The End user experience will then be what you currently see in the browser.

Here is a doc with our Duo Access Gateway however if you use something like Azure AD or ADFS that will work as well.

Victor
Level 1
Level 1

Hello to everyone.
I’m trying to configure ASA SSL vpn with minimum user interaction and always on. My first authentication is user certificate and second is DUO configured as radius server (using duo auth proxy VM) but I still get the prompt from Anyconnect for “push” field. Has anyone managed to achieve this without the password prompt?

@victor_p,

Which of the various radius_server_??? Authentication Proxy configurations did you choose?

Duo, not DUO.

@DuoKristina
[duo_only_client]

[radius_server_duo_only]
ikey=notsharing
skey=notsharing
api_host=notsharing
radius_ip_1=notsharing
radius_secret_1=notsharing
failmode=secure
client=duo_only_client
port=1812

OK, there are two takeaways from this for you:

  1. radius_server_duo_only does not do autopush or let you proceed without submitting a “password” to it in the form of a Duo factor name or passcode. radius_server_auto with duo_only_client would send an automatic push, buuuuut…

  2. Previous exploration of ASA with cert for primary and Duo showed that you can’t use any secondary authentication without having AAA enabled as an authentication method, and submitting a password. This was confirmed by Cisco TAC.

So with this config we could find no feasible way it would not require submitting a password value to start RADIUS AAA auth after certificate authentication success.

Duo, not DUO.
Quick Links