05-02-2024 06:17 AM
Now that LDAPS to Duo Cloud has been deprecated, is there still a way to protect VPN access to a Cisco ASA using logins that are local accounts on the ASA? And is it possible to do without a proxy server in the middle? Everything I have found points me to old documentation about setting up LDAPS directly to Duo, which sounds like is now deprecated. Is this possible?
05-02-2024 11:25 AM
It still works - it just isn't supported so you cant talk to their support if you have any issues. LDAPS is pretty stable and unchanging so I don't see it just magically failing anytime soon. They haven't announced a stop functionality date yet. As an alternative though you can just set up radius auth instead
05-02-2024 11:49 AM
Would that be happening strictly between the ASA and Duo Cloud? The environment we are protecting does not have an NPS running, these accounts only live on the ASA itself.
05-02-2024 11:59 AM
Yeah it would be between the asa and duo only , but it does require the authentication proxy as that would be the receiving radius server for the duo requests.
05-02-2024 12:03 PM
Ah, that's what I was hoping to avoid. So LDAP should still technically work, but it does not sound like there is a supported method of authenticating directly from ASA local accounts to Duo without a Proxy server in between.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide