We currently have a Cisco ASA through which we provide the AnyConnect service. Users are first authenticated through Cisco ACS and then through DUO.
Currently when the user logs into AnyConnect, they get a window to enter username, password and second password.
From what I understand (I did not do the initial configuration myself)
1. the authentication goes through the Cisco ASA first, which is sent to the Cisco ACS via RADIUS protocol.
2. On the Cisco ACS, the authentication goes through our internal DUO proxy server.
3. Finally, once the user has been authenticated with the first password, the second password is checked on the DUO server in the cloud via LDAPS.
On the Cisco ASA
On the Cisco ACS
My question is, can I keep the same AnyConnect interface I have now (with user-password-second password) or do I have to switch to a different workflow, such as these?
https://duo.com/docs/ciscoasa-radius
https://duo.com/docs/ciscoasa-radius-challenge