Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
10
Helpful
5
Replies

AnyConnect Fallback Authentication

Go to solution
RGIE3779
Level 1
Level 1

‎02-02-2023 06:50 AM

Hello CSC,

I have an AC setup where the initial authentication is done via certificate with the username being pulled from UPN. This is then checked / authorised against ISE/AD with ISE saying YES or NO

Is there a way to force a fallback method to say a simple username/password against LDAP server based my setup if an end device doesn't have a valid certificate? The end devices are locked down so it is difficult to get them to manually point to somewhere else.I see under the connection profile / general there is "use LOCAL if server group fails" but don't think this is what I'm looking for.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-02-2023 06:55 AM

@RGIE3779 no, you'd have to create another connection profile/tunnel-group that uses LDAP authentication. The users would have to manually select that connection profile, the downside is the user may just continue to use that connection profile instead of certificates.

 

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-02-2023 06:55 AM

@RGIE3779 no, you'd have to create another connection profile/tunnel-group that uses LDAP authentication. The users would have to manually select that connection profile, the downside is the user may just continue to use that connection profile instead of certificates.

 

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Rob Ingram

‎02-02-2023 07:00 AM

Thanks Rob, yes this is what I thought would be the only option the more I thought about it. Thank for the information.

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Rob Ingram

‎02-02-2023 07:02 AM

Thought I'd lost my old CSC account.... Turns out I haven't. Sorry for the confusion :-). I had been trying to change my email address on here. Anyways, thanks again @Rob Ingram 

0 Helpful

Go to solution
RGIE
Level 1
Level 1
In response to Rob Ingram

‎02-02-2023 07:11 AM

I wouldn't be able to have "Always On" with this I'd assume?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents