I am planning to deploy Cisco ASA with Anyconnect for enabling remote access VPN. I am also planning to integrate Cisco DUO with Anyconnect for Multifactor Authentication. I want to create local users on ASA for VPN authentication without having a separate Active Directory or RADIUS server. Will Cisco DUO support such scenario where there is not separate Active Directory/RADIUS server for primary? Can Cisco DUO query ASA for verifying username and password before sending request to DUO cloud for Second Factor Authentication?
Yes that works. The primary authentication runs against the local database and if that succeeds the DUO LDAP is queried for the secondary authentication. I run this scenario at home.
In the above shared link, Radius and SAML Integration used for as Primary authenticator, but not Firewall Local DB. Can you share supported configurations
The functionality you describe is possible. However not in the exact manner you describe.
Duo doesn't query ASA as the primary identity source. Instead you would need to setup a second authentication server (pointing to the Duo Authentication Proxy) for the tunnel-group and on the ASA. So this would require you to configure the Duo Authentication Proxy as an aaa-server object on the ASA.
You can still have the ASA serve as the primary identity source and then that secondary authentication method (referencing your Duo Auth Proxy) would invoke Duo MFA for the user. There are some other aspects to this, and I've given a detailed answer to this same question on a separate Cisco Community thread. Please see here:
