cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1023
Views
1
Helpful
3
Replies

Cisco ASA Secure Client with MFA and Cisco Duo - Local Users

m.s.rees1
Level 1
Level 1

Hi,

We're looking to allow 3rd party companies the ability to access our network via Cisco Secure Client. We have had this all working in the past but want to introduce the MFA (DUO) for extra security.

The question is, are we able to use local user accounts (from the ASA) and integrate them with Cisco Duo? So we would basically supply the 3rd parties and user name and password and they would have to use the supplied details, with DUO to authenticate.

We don't want to use any form of AD/365 or have to set up additional 'proxy' servers and wandering if this is possible and how to achieve it simply.

Thanks.

1 Accepted Solution

Accepted Solutions

Mark Ftc
Level 1
Level 1

It is possible to use the LOCAL database/user accounts on the ASA in conjunction with Duo MFA, however you will have to install a Duo Authentication Proxy.  Without the Duo Authentication Proxy, Duo MFA has no means of being invoked.

Here is how to do it (I'm only including configurations that are specific to making LOCAL+DUO work - other configurations are required for AnyConnect but are omitted).

ASA CONFIGURATION:
1: You will have to configure a new aaa-server specifying a RADIUS connection to your Duo Auth Proxy.

aaa-server Duo-Auth-Proxy protocol radius
aaa-server Duo-Auth-Proxy host <w.x.y.z>
 timeout 30
 key *****
 authentication-port 1888
 accounting-port 1889


2: You will need to configure your tunnel-group with a 'secondary-authentication' referencing your Duo Auth Proxy aaa-server configured in step 1.  By default the 'primary authentication' method will be against your LOCAL user account database.  This will be the locally configured user accounts on the ASA.  If you run the command <show run all tunnel-group> you will see the <authentication-server-group LOCAL> configuration line.

tunnel-group Testing_Local_and_Duo_Auth type remote-access
tunnel-group Testing_Local_and_Duo_Auth general-attributes
 address-pool testing_pool
 secondary-authentication-server-group Duo-Auth-Proxy
tunnel-group Testing_Local_and_Duo_Auth webvpn-attributes
 group-alias testing_alias enable

3: Of course, you will have your locally configured accounts configured on the ASA.

username testinguser2 password ***** encrypted
username testinguser1 password ***** encrypted


DUO AUTH PROXY CONFIGURATION:

Within the Duo Auth Proxy, you can configure a 'Radius Duo Only' configuration where only Duo MFA will be invoked for the authenticating user account.  Typically, the Duo Auth Proxy Radius configuration will verify credentials against a primary identity source (AD) and then prompt/verify via the Duo Cloud for the 2nd factor.  In this case, your primary identity source is the locally configured account on the ASA, so on the Auth Proxy you want to skip the check against the primary identity source and only prompt the 2nd factor.

[radius_server_duo_only]
ikey=<enter-your-ikey>
skey=<enter-your-skey>
api_host=<enter-your-apihost>
radius_ip_1=<w.x.y.z>
radius_secret_1=<enter-your-radius-secret>
port=1888
client=duo_only_client


 DUO CLOUD CONFIGURATION:
You will need to configure a Radius protected application in your Duo Admin Panel.  This is where you will obtain the ikey, skey, and api_host values you will use in your Duo Auth Proxy configuration.  Additionally, you will need to manually (or via bulk import) add the ASA locally configured user accounts (using the same name) to your Duo Cloud.  These accounts will need to enroll their 2nd factor device (typically a smart phone).

OPERATION:
Screenshot from 2025-03-06 00-58-23.png
When a user tries to log into the tunnel-group you've configured with a 'secondary-authentication' you will have an AnyConnect login prompt requesting two usernames and two passwords.  The first set of username/password will be to authenticate against the locally configured username/password in the ASA.  The second set of username/password will be sent to the Duo Auth Proxy.  The username must match the Duo user account username you specified in your Duo Cloud during user creation.  Enrollment for this username/account will need to be complete.  The secondary password field will either be the Duo passcode the user acquired through their 2nd factor device or a string/text for the Duo 2nd factor prompt they wish to use for MFA ('push', 'phone', 'sms').

Please reference this Duo documentation:
https://duo.com/docs/radius-duo-only

View solution in original post

3 Replies 3

Mark Ftc
Level 1
Level 1

It is possible to use the LOCAL database/user accounts on the ASA in conjunction with Duo MFA, however you will have to install a Duo Authentication Proxy.  Without the Duo Authentication Proxy, Duo MFA has no means of being invoked.

Here is how to do it (I'm only including configurations that are specific to making LOCAL+DUO work - other configurations are required for AnyConnect but are omitted).

ASA CONFIGURATION:
1: You will have to configure a new aaa-server specifying a RADIUS connection to your Duo Auth Proxy.

aaa-server Duo-Auth-Proxy protocol radius
aaa-server Duo-Auth-Proxy host <w.x.y.z>
 timeout 30
 key *****
 authentication-port 1888
 accounting-port 1889


2: You will need to configure your tunnel-group with a 'secondary-authentication' referencing your Duo Auth Proxy aaa-server configured in step 1.  By default the 'primary authentication' method will be against your LOCAL user account database.  This will be the locally configured user accounts on the ASA.  If you run the command <show run all tunnel-group> you will see the <authentication-server-group LOCAL> configuration line.

tunnel-group Testing_Local_and_Duo_Auth type remote-access
tunnel-group Testing_Local_and_Duo_Auth general-attributes
 address-pool testing_pool
 secondary-authentication-server-group Duo-Auth-Proxy
tunnel-group Testing_Local_and_Duo_Auth webvpn-attributes
 group-alias testing_alias enable

3: Of course, you will have your locally configured accounts configured on the ASA.

username testinguser2 password ***** encrypted
username testinguser1 password ***** encrypted


DUO AUTH PROXY CONFIGURATION:

Within the Duo Auth Proxy, you can configure a 'Radius Duo Only' configuration where only Duo MFA will be invoked for the authenticating user account.  Typically, the Duo Auth Proxy Radius configuration will verify credentials against a primary identity source (AD) and then prompt/verify via the Duo Cloud for the 2nd factor.  In this case, your primary identity source is the locally configured account on the ASA, so on the Auth Proxy you want to skip the check against the primary identity source and only prompt the 2nd factor.

[radius_server_duo_only]
ikey=<enter-your-ikey>
skey=<enter-your-skey>
api_host=<enter-your-apihost>
radius_ip_1=<w.x.y.z>
radius_secret_1=<enter-your-radius-secret>
port=1888
client=duo_only_client


 DUO CLOUD CONFIGURATION:
You will need to configure a Radius protected application in your Duo Admin Panel.  This is where you will obtain the ikey, skey, and api_host values you will use in your Duo Auth Proxy configuration.  Additionally, you will need to manually (or via bulk import) add the ASA locally configured user accounts (using the same name) to your Duo Cloud.  These accounts will need to enroll their 2nd factor device (typically a smart phone).

OPERATION:
Screenshot from 2025-03-06 00-58-23.png
When a user tries to log into the tunnel-group you've configured with a 'secondary-authentication' you will have an AnyConnect login prompt requesting two usernames and two passwords.  The first set of username/password will be to authenticate against the locally configured username/password in the ASA.  The second set of username/password will be sent to the Duo Auth Proxy.  The username must match the Duo user account username you specified in your Duo Cloud during user creation.  Enrollment for this username/account will need to be complete.  The secondary password field will either be the Duo passcode the user acquired through their 2nd factor device or a string/text for the Duo 2nd factor prompt they wish to use for MFA ('push', 'phone', 'sms').

Please reference this Duo documentation:
https://duo.com/docs/radius-duo-only

Wow thanks for such a detailed response. This is very helpful! Appreciate your time.

You're welcome!