Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2027
Views
0
Helpful
4
Replies

Cisco AnyConnect Secondary Authentication with DUO MFA

Go to solution
thambright
Level 1
Level 1

‎06-03-2019 02:59 PM

Is there a way to pre-configure the Secondary password field int the AnyConnect client with the word PUSH so that user do not have to type it in? Since we are using the push option in DUO only this would be a great feature so that it automatically sends the push to DUO.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to thambright

‎06-04-2019 11:16 AM

In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.

With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:

==================================================================================

aaa-server ISE protocol radius
authorize-only

aaa-server DUO protocol ldap|radius

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group DUO
secondary-authentication-server-group ISE use-primary-username
default-group-policy NoAccess
authentication-attr-from-server secondary

tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa
secondary-pre-fill-username client hide use-common-password <dummypasswd>

==================================================================================

***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.

HTH.

 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-03-2019 08:53 PM

Password storage is not supported with Anyconnect; so this is not possible.

 

Are you working with different user databases for the primary authentication and DUO?

0 Helpful

Go to solution
thambright
Level 1
Level 1
In response to Pablo

‎06-04-2019 05:21 AM

Yes, Primary authentication is to our Cisco ISE and then configured to use Secondary Authentication to DUO for the MFA. This gives us the ability to use our AD groups and downloadable ACL's within ISE.

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to thambright

‎06-04-2019 11:16 AM

In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.

With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:

==================================================================================

aaa-server ISE protocol radius
authorize-only

aaa-server DUO protocol ldap|radius

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group DUO
secondary-authentication-server-group ISE use-primary-username
default-group-policy NoAccess
authentication-attr-from-server secondary

tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa
secondary-pre-fill-username client hide use-common-password <dummypasswd>

==================================================================================

***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.

HTH.

 

 

 

0 Helpful

Go to solution
ivan.martin
Level 1
Level 1
In response to Pablo

‎01-16-2022 02:36 PM

Hi Pablo

My name is Ivan. I have a question: how can we manage the policy for AD users  in duo proxi  web oprtal and the configuration file (cfg)?.

It's necessary protect only the asa (radius server auto) or also the ise?

Regards, Ivan.

0 Helpful
Customers Also Viewed These Support Documents