EOL for Duo LDAP cloud service and Migration Path

stefanmtomasevic · ‎03-07-2023

А couple of weeks ago I received a notification that the EOL for Duo LDAP cloud service (LDAPS) is approaching.
I found a migration path that solves the problem on the site. RADIUS 2FA for Cisco ASA SSL VPNs | Duo Security
but I have a couple of questions that are not very clear to me after reading and watching the video.
Is radius a necessary step?
In the video example the radius is used as a protocol, in the ASA setting it is selected in the drop-down menu for AAA server group.

If my environment don’t have radius, is AD enough?

additional: the part that confuses me

“This Duo proxy server will receive incoming RADIUS requests from your Cisco ASA SSL VPN, contact your existing local LDAP/AD or RADIUS server to perform primary authentication if necessary, and then contact Duo’s cloud service for secondary authentication.”

raphka · ‎03-07-2023

Hi stefan, Welcome to the Duo Community.
AD is indeed enough and you do not need a RADIUS server.

The proxy will act as a RADIUS server and receive RADIUS authentications from your ASA using its [radius_server_auto] section.

These authentications will be translated to LDAP and be sent to your AD for username and password verification using the [ad_client] section.

The flow looks like this:

ASA --RADIUS–> Proxy --LDAP–> AD

stefanmtomasevic · ‎03-08-2023

So, the example in video is 1 on 1 how to configure it / migrate on the environment where I only have AD, and want to migrate to DUO MSP?