Re: Secure Access Always On

msbang · ‎04-29-2026

Hello everyone,
We are currently conducting an Always On Test in Secure Access. When the PC is turned on, all internet connectivity is blocked, and after enforcing SSL VPN, the internet becomes available once the VPN is connected.
In the VPN profile settings, we have verified that through auto VPN-related configurations, internet access is allowed on trusted networks, and blocked on untrusted networks.
However, when attempting to initiate VPN on an untrusted network, there is no internet connectivity, so DUO cannot perform SSO authentication. It seems like DUO SSO needs to be treated as an exception. Which setting should be configured for this?
Also, what is the purpose of the machine tunnel feature?
We would appreciate your expert advice.

nop-tk · ‎05-08-2026

Hello.

You can enable DUO SSO by registering the FQDN required for DUO SSO access in the “Accessible hosts with VPN disconnected” option of the VPN Profile.

For more information on “Accessible hosts with VPN disconnected,” please refer to the following link:
https://securitydocs.cisco.com/docs/csa/olh/121141.dita

For information on machine tunnels, please refer to the following link.
https://www.cisco.com/c/en/us/support/docs/security/secure-access/223193-configure-machine-tunnel-on-cisco.html

msbang · ‎05-10-2026

Even after adding exceptions for Duo SSO, APIs, and related services, it still seems unable to retrieve the SSO authentication properly during testing.

Do you happen to know which specific domains, services, or traffic should be exempted so that SSL VPN can be enforced while the device is still offline from general internet access, but able to complete Duo SSO authentication successfully?

We would really appreciate your guidance and support on this.

iqbalfadjarudin93 · ‎05-08-2026

Good infomartion for DUO SSO by registering

cludwigd · ‎05-10-2026

check this article and sub chapters. these destinations should be exempted from VPN:
Network Requirements for Secure Access