Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
208
Views
0
Helpful
0
Replies

AnyConnect DUO with ACS - LDAPS end-of-life - Migration help

MarcoLazzarotto
Level 1
Level 1

‎02-05-2024 06:17 AM - edited ‎02-05-2024 06:19 AM

We currently have a Cisco ASA through which we provide the AnyConnect service. Users are first authenticated through Cisco ACS and then through DUO.

MarcoLazzarotto_0-1707142321088.png

Currently when the user logs into AnyConnect, they get a window to enter username, password and second password.
From what I understand (I did not do the initial configuration myself)

1. the authentication goes through the Cisco ASA first, which is sent to the Cisco ACS via RADIUS protocol.
2. On the Cisco ACS, the authentication goes through our internal DUO proxy server.
3. Finally, once the user has been authenticated with the first password, the second password is checked on the DUO server in the cloud via LDAPS.

On the Cisco ASA

MarcoLazzarotto_1-1707142399343.png

MarcoLazzarotto_2-1707142459361.png

On the Cisco ACS

MarcoLazzarotto_3-1707142506898.png

My question is, can I keep the same AnyConnect interface I have now (with user-password-second password) or do I have to switch to a different workflow, such as these?
https://duo.com/docs/ciscoasa-radius
https://duo.com/docs/ciscoasa-radius-challenge

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents