Is there a way to pre-configure the Secondary password field int the AnyConnect client with the word PUSH so that user do not have to type it in? Since we are using the push option in DUO only this would be a great feature so that it automatically sends the push to DUO.
Yes, Primary authentication is to our Cisco ISE and then configured to use Secondary Authentication to DUO for the MFA. This gives us the ability to use our AD groups and downloadable ACL's within ISE.
In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.
With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:
aaa-server ISE protocol radius
aaa-server DUO protocol ldap|radius
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group ISE use-primary-username
tunnel-group DefaultWEBVPNGroup webvpn-attributes
secondary-pre-fill-username client hide use-common-password <dummypasswd>
***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.