Looking to Authenticate Anyconnect users in India. No split tunneling is a requirement and so is MFA. We will use Duo. Our thought was to add a DC on their network in India, users would auth to their ASA which uses ldap to the DC we install on their network, the traffic to Duo would traverse an Ipsec tunnel between our ASA and theirs (already built and working) and push the approvals to their phone. This seems so complex and messy, can anyone recommend something that is simpler? Here is a rough drawing.
Thanks in Advance of any and All feedback!
Proposed design