Cisco Firepower Duo Proxy setup

Joshua_Ellison · ‎11-13-2018

Hello

I am looking for someone that has had success setting up a Cisco NGFW Firepower Threat Defense device with the Duo Authentication Proxy application. I have followed everything I can find but I am not getting the prompt for the secondary passcode on anyconnect.

DuoKristina · ‎11-14-2018

The FTD doesn’t support double-authentication, so you probably configured it to point to the Duo Authentication Proxy, and then the Duo proxy handles both primary and secondary authentication.

In this configuration there will be no second field for a passcode in the AnyConnect prompt. You should receive an automatic push request if Duo Mobile is activated for the user, or a phone call if Duo Mobile is not activated. If using SMS or token passcodes, append the token code to the password with a comma.

Does this help?

Duo, not DUO.

Joshua_Ellison · ‎11-14-2018

So if that is the case, do I point my AAA server group just to the Duo Proxy and not to the LDAP server? That way only Duo handles both.

DuoKristina · ‎11-15-2018

Yes, you would do the following:

Deploy Duo Authentication Proxy as described on Two-Factor Authentication Using RADIUS | Duo Security, using [ad_client] or [radius_client] (whichever you are already using for AAA in your FTD, you probably want to point your Duo server to the same thing).
Create a RADIUS server group with your Duo proxy in it.
Use the Duo RADIUS server group as the AAA Authentication Server in your Remote Access Connection Profile (instead of whatever AAA server group you use now).

Duo, not DUO.

ericbuss1 · ‎09-12-2019

Hi Josh,
were you able to get this to work using LDAP and not RADIUS?