Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3296
Views
0
Helpful
5
Replies

Cisco ASA SSL VPN for AnyConnect and expired AD passwords

rajbhatia
Level 1
Level 1

‎11-18-2020 01:51 PM

Hello,

We set up our ASA Anyconnect to use DUO for 2FA following these instructions - https://duo.com/docs/ciscoasa-radius. We use AD/LDAP as the primary authenticator.

This setup works fine but we have noticed that after implementing this configuration, users with upcoming expired passwords are not warned about the same. Also, once user passwords are expired, it renders this mode of connecting to VPN useless and requires an admin to reset their password on AD. This worked fine before implementing DUO for auth and 2FA. Am I missing something here? I have password management enabled on the connection profile on the ASA.

Thanks for any assistance!

PS - Reason we don’t want to use SAML for this is because we don’t want to maintain the DAG internally and plan on moving to Duo Cloud SSO for all cloud apps.

Labels:
0 Helpful
5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

‎11-20-2020 06:11 AM

A Duo Authentication Proxy with a RADIUS + AD configuration does not support password reset.

The combinations that do support password reset through the proxy are:

  • RADIUS server + RADIUS client using MS-CHAPv2
  • LDAP server + LDAP client using LDAPS or STARTTLS

Read more about these configurations here: Does the Duo Authentication Proxy support in-line password resets?

If you’re thinking about Duo SSO, we have a named application for ASA AnyConnect already! Use SAML authentication with AnyConnect without needing to set up Duo Access Gateway on-premises. You can leverage the Duo proxy server you already have to configure AD authentication for Duo SSO.

Duo, not DUO.
0 Helpful

rajbhatia
Level 1
Level 1
In response to DuoKristina

‎11-24-2020 07:51 AM

@DuoKristina - Thanks for the response. Does the cloud based Duo SSO for Anyconnect option (link you provided) support password resets?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to rajbhatia

‎11-24-2020 09:57 AM

Yes, if your authentication source for Duo SSO is another SAML IdP that supports password reset.

No, if using the Authentication Proxy as the AD authentication source for Duo SSO.

If you’re interested in the latter please contact your Duo account exec or customer success manager if you have one, or Duo Support if you don’t, to submit your feature request for AD password reset with Duo SSO. The product team is in the discovery phase on this functionality so additional context from customers helps.

Duo, not DUO.
0 Helpful

rajbhatia
Level 1
Level 1

‎11-24-2020 12:08 PM

@DuoKristina - thanks again. Yes, we do use Auth Proxy as the auth source and will continue to do so. What message should I send to our account exec or support? Just, “hey, password resets with Duo SSO would be great”?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to rajbhatia

‎11-24-2020 02:43 PM

Yep, pretty much! Just make it clear that you want to submit a feature request for it, so it gets entered into the right system.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents