06-03-2019 02:59 PM
Is there a way to pre-configure the Secondary password field int the AnyConnect client with the word PUSH so that user do not have to type it in? Since we are using the push option in DUO only this would be a great feature so that it automatically sends the push to DUO.
Solved! Go to Solution.
06-04-2019 11:16 AM
In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.
With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:
==================================================================================
aaa-server ISE protocol radius
authorize-only
aaa-server DUO protocol ldap|radius
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group DUO
secondary-authentication-server-group ISE use-primary-username
default-group-policy NoAccess
authentication-attr-from-server secondary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa
secondary-pre-fill-username client hide use-common-password <dummypasswd>
==================================================================================
***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.
HTH.
06-03-2019 08:53 PM
Password storage is not supported with Anyconnect; so this is not possible.
Are you working with different user databases for the primary authentication and DUO?
06-04-2019 05:21 AM
Yes, Primary authentication is to our Cisco ISE and then configured to use Secondary Authentication to DUO for the MFA. This gives us the ability to use our AD groups and downloadable ACL's within ISE.
06-04-2019 11:16 AM
In that case, your ISE should only required for authorization, DUO is taking care of authentication to the user DB and also sending the 2FA via the push so, there's no need to have the ISE check for username/password again.
With the configuration below, you still have 2FA along with DACL/group policy assigned by the ISE and the users will only be presented with a single username/password text box while connecting to the VPN gateway:
==================================================================================
aaa-server ISE protocol radius
authorize-only
aaa-server DUO protocol ldap|radius
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group DUO
secondary-authentication-server-group ISE use-primary-username
default-group-policy NoAccess
authentication-attr-from-server secondary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication aaa
secondary-pre-fill-username client hide use-common-password <dummypasswd>
==================================================================================
***The ISE authentication policy matching the request from the ASA NAS IP needs to be set to continue if authentication fails. This is expected since DUO is terminating the authentication but radius can't separate authentication from authorization, that's also why you need to send a common password.
HTH.
01-16-2022 02:36 PM
Hi Pablo
My name is Ivan. I have a question: how can we manage the policy for AD users in duo proxi web oprtal and the configuration file (cfg)?.
It's necessary protect only the asa (radius server auto) or also the ise?
Regards, Ivan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide