ASA VPN using local logins and Duo

asdraper · ‎05-02-2024

Now that LDAPS to Duo Cloud has been deprecated, is there still a way to protect VPN access to a Cisco ASA using logins that are local accounts on the ASA? And is it possible to do without a proxy server in the middle? Everything I have found points me to old documentation about setting up LDAPS directly to Duo, which sounds like is now deprecated. Is this possible?

TrietNguyen · ‎05-02-2024

It still works - it just isn't supported so you cant talk to their support if you have any issues. LDAPS is pretty stable and unchanging so I don't see it just magically failing anytime soon. They haven't announced a stop functionality date yet. As an alternative though you can just set up radius auth instead

asdraper · ‎05-02-2024

Would that be happening strictly between the ASA and Duo Cloud? The environment we are protecting does not have an NPS running, these accounts only live on the ASA itself.

TrietNguyen · ‎05-02-2024

Yeah it would be between the asa and duo only , but it does require the authentication proxy as that would be the receiving radius server for the duo requests.

asdraper · ‎05-02-2024

Ah, that's what I was hoping to avoid. So LDAP should still technically work, but it does not sound like there is a supported method of authenticating directly from ASA local accounts to Duo without a Proxy server in between.