cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
488
Views
0
Helpful
3
Replies
thambright
Beginner

Cisco AnyConnect Secondary Authentication with DUO MFA

Is there a way to pre-configure the Secondary password field int the AnyConnect client with the word PUSH so that user do not have to type it in? Since we are using the push option in DUO only this would be a great feature so that it automatically sends the push to DUO.

3 REPLIES 3
Pablo
Cisco Employee

Password storage is not supported with Anyconnect; so this is not possible.

 

Are you working with different user databases for the primary authentication and DUO?

Yes, Primary authentication is to our Cisco ISE and then configured to use Secondary Authentication to DUO for the MFA. This gives us the ability to use our AD groups and downloadable ACL's within ISE.

In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.

With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:

==================================================================================

aaa-server ISE protocol radius
authorize-only

aaa-server DUO protocol ldap|radius

tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group DUO
secondary-authentication-server-group ISE use-primary-username
default-group-policy NoAccess
authentication-attr-from-server secondary

tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa
secondary-pre-fill-username client hide use-common-password <dummypasswd>

==================================================================================

***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.

HTH.

 

 

 

Content for Community-Ad