cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
777
Views
0
Helpful
10
Replies
shaikh.zaid22
Beginner

DUO integration with FTD for RA VPN

Hi,

i am planning to add a second factor authentication to our existing Remote Access VPN on cisco FTD via FMC, using DUO. Do i need any license or account creation on DUO meaning do i need to spend some budget?

And what is feasibility and success in integration with FTD via FMC running 6.4

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Marvin Rhoads
VIP Community Legend

In addition to what @Rob Ingram mentioned, Duo MFA for FTD-based remote access VPN managed with FMC works perfectly fine. My company and several of myour customers use it.

View solution in original post

Rob Ingram
VIP Mentor

If you spend even more money by purchasing ISE, you can restrict the users from authorizing if they are connecting from a device that isn't a profiled endpoint. Regardless DUO is licensed per user, if you have 100 users requiring remote access, then you purhcase 100 licenses. If a users username/password and device were stolen, they still need the DUO passcode to be able to connect to the VPN.

View solution in original post

@shaikh.zaid22 

If you use ISE for authorisation, you can performance posture checks. As part of that you can check to determine whether the correct registry key is present on the computer and permit/deny access accordingly.

 

This is the registry key to check:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

Value=domainname.local

View solution in original post

10 REPLIES 10
Rob Ingram
VIP Mentor

@shaikh.zaid22 

You need to pay for DUO, cost per user, best you contact your cisco partner for more information.

https://duo.com/editions-and-pricing

Thanks ROB...Appreciate your swift responses always..

Marvin Rhoads
VIP Community Legend

In addition to what @Rob Ingram mentioned, Duo MFA for FTD-based remote access VPN managed with FMC works perfectly fine. My company and several of myour customers use it.

View solution in original post

Thanks Rob and Marvin.

 

i was wondering if i can restrict the RA VPN users to access the anyconnect client only by the registered domain PCs(like MAC addresses or hostname etc) so in that case can i save the money(for DUO) and secure the connection also, even if username and password is stolen still correct device would be required to login via ANyconnect.

Hope i wrote correct what i meant... so is it possible ?  

We have a single ISE node in our infra working to provide wireless 1) Guest access and 2) wireless Staff access for domain PCs to join via machine authentication and PEAP. However its a single point of failure.

I want to know if its possible to bring the RA VPN users via ISE and authenticate their PCs whether its domain PCs and then allow access to the ANyconnect client to connect the VPN ?

Secondly, if we go for this do we require any licenses on ISE (like VPN on ISE license) etc.

What you guys suggest for my current environment considering single ISE node and presently the FMC and FTD has no contact with ISE whatsoever...Pls guide 

Rob Ingram
VIP Mentor

If you spend even more money by purchasing ISE, you can restrict the users from authorizing if they are connecting from a device that isn't a profiled endpoint. Regardless DUO is licensed per user, if you have 100 users requiring remote access, then you purhcase 100 licenses. If a users username/password and device were stolen, they still need the DUO passcode to be able to connect to the VPN.

View solution in original post

is there any way we can check the registrykey like its available in Fortigate FWs to verify the device before connecting to RA VPN so in this way we can prevent personal devices to connect and allow only domain PC etc.

 

 

@shaikh.zaid22 

If you use ISE for authorisation, you can performance posture checks. As part of that you can check to determine whether the correct registry key is present on the computer and permit/deny access accordingly.

 

This is the registry key to check:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain

Value=domainname.local

View solution in original post

Thanks Rob,

We do not have ISE appliance. is there any other way we can achieve via FMC or FTD?

Not with the FMC without ISE no. If you were managing the FTD locally using FDM you could configure DAP, but this is not fully developed yet.

 

In your situation if you deployed a certificate to your domain computers you could ensure only these computers would be able to authenticate.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad