We currently have a Cisco ASA through which we provide the AnyConnect service. Users are first authenticated through Cisco ACS and then through DUO.
![MarcoLazzarotto_0-1707142321088.png MarcoLazzarotto_0-1707142321088.png](https://community.cisco.com/t5/image/serverpage/image-id/209591iAE4E01A40629B163/image-size/medium?v=v2&px=400)
Currently when the user logs into AnyConnect, they get a window to enter username, password and second password.
From what I understand (I did not do the initial configuration myself)
1. the authentication goes through the Cisco ASA first, which is sent to the Cisco ACS via RADIUS protocol.
2. On the Cisco ACS, the authentication goes through our internal DUO proxy server.
3. Finally, once the user has been authenticated with the first password, the second password is checked on the DUO server in the cloud via LDAPS.
On the Cisco ASA
![MarcoLazzarotto_1-1707142399343.png MarcoLazzarotto_1-1707142399343.png](https://community.cisco.com/t5/image/serverpage/image-id/209592i38135DBA84617788/image-size/medium?v=v2&px=400)
![MarcoLazzarotto_2-1707142459361.png MarcoLazzarotto_2-1707142459361.png](https://community.cisco.com/t5/image/serverpage/image-id/209593i3F443A6D621EB6D5/image-size/medium?v=v2&px=400)
On the Cisco ACS
![MarcoLazzarotto_3-1707142506898.png MarcoLazzarotto_3-1707142506898.png](https://community.cisco.com/t5/image/serverpage/image-id/209594i8B7955D2F5B7947D/image-size/medium?v=v2&px=400)
My question is, can I keep the same AnyConnect interface I have now (with user-password-second password) or do I have to switch to a different workflow, such as these?
https://duo.com/docs/ciscoasa-radius
https://duo.com/docs/ciscoasa-radius-challenge