Re: Cisco Duo for Anyconnect VPN on Asa

Asfandyar70754 · ‎11-20-2021

Hey guys,

I have implemented Duo for Vpn users, but I am facing some difficulty.

I have 2 groups in my AD and 1 group is for Vpn users and other is not, So while making the Duo Auth proxy we do give AD's IP address but I wanted to know if there is some way to specify in Duo Auth Proxy to use only specified group for authentication.

After implementation Duo non Vpn user group were able to use Vpn for some reason and I want to limit that, I only want to give speific group detail to auth proxy, is it possible?

tomipic271 · ‎11-20-2021

Cisco's new Cisco Duo for Anyconnect VPN on Asa is a game changer in the world of VPNs. The Cisco Duo for Anyconnect VPN on Asa does not require any additional software to be installed and it can be deployed without having to change network configuration. It also provides an easy-to-use management interface so you can see who has logged in, how long they were connected, and what device was used when they logged in. All this information is available at your fingertips so you know what devices are connecting to your network!

Karsten Iwen · ‎11-20-2021

This is the relevant documentation for your problem:

https://duo.com/docs/authproxy-reference

The important part ist the following attribute that you have to include into the config of the auth-proxy:

security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com

Asfandyar70754 · ‎11-21-2021

Hello Karsten,

Thank you for your response, I got my answer.

I have another question, if my Duo Authentication Server is unreachable to Duo cloud for some reason(Internet disconnectivity e.t.c.) the normal behaviour is that it will bypass the Duo authentication, I wanted to know if there is some way to not bypass it, I mean I will not mind if my users do not get to use Vpn in that time.