Cisco Duo MFA for VPN users

Asfandyar70754 · ‎11-18-2021

Hey guys,

I am trying to implement Cisco Duo for Anyconnect VPN users on ASA, I do not have ISE in my network so I have done it on my ASA but for some reason Duo push does not arrives on cellphone and there are no logs on Duo admin panel either.

I ran connectivity tool command on Auth proxy machine too and connectivity seems alright.

So what could be the issues here? What should I check?

balaji.bandi · ‎11-19-2021

I believe you need to the federation to sync your users with DUO

https://duo.com/docs/adfs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Peter Koltl · ‎12-09-2022

Directory Sync (not the same as ADFS) is useful but actually Duo just checks if the user exists in Duo portal (either created manually or synced from AD). Test it without ad_client first (just Duo, no AD auth). What is your tunnel-group config in ASA?

Milos_Jovanovic · ‎12-10-2022

Hi @Asfandyar70754,

As @Peter Koltl said, sync of Duo with AD is nice feature, but users can always be manually added.

You should check log on Duo Authentication Proxy server, to see if RADIUS request from ASA even arrived. For Windows, you should look in "C:\Program Files\Duo Security Authentication Proxy\log". That log would tell you most preciselly what happened - either there is no authentication attempt (so you should look into ASA or transport path), or authentication request arrived, but first factor failed (you would see reason for that), or timeout towards Duo cloud happened, thus no push arrived (so you need to check transport path from Duo Authentication Proxy server towards Internet).

Kind regards,

Milos