01-26-2021 11:40 PM
Hi,
i am planning to add a second factor authentication to our existing Remote Access VPN on cisco FTD via FMC, using DUO. Do i need any license or account creation on DUO meaning do i need to spend some budget?
And what is feasibility and success in integration with FTD via FMC running 6.4
Solved! Go to Solution.
01-27-2021 12:25 AM
In addition to what @Rob Ingram mentioned, Duo MFA for FTD-based remote access VPN managed with FMC works perfectly fine. My company and several of myour customers use it.
01-27-2021 01:29 AM - edited 01-27-2021 02:18 AM
If you spend even more money by purchasing ISE, you can restrict the users from authorizing if they are connecting from a device that isn't a profiled endpoint. Regardless DUO is licensed per user, if you have 100 users requiring remote access, then you purhcase 100 licenses. If a users username/password and device were stolen, they still need the DUO passcode to be able to connect to the VPN.
01-31-2021 12:05 AM
If you use ISE for authorisation, you can performance posture checks. As part of that you can check to determine whether the correct registry key is present on the computer and permit/deny access accordingly.
This is the registry key to check:-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain
Value=domainname.local
01-26-2021 11:44 PM
You need to pay for DUO, cost per user, best you contact your cisco partner for more information.
01-31-2021 12:31 AM
Thanks ROB...Appreciate your swift responses always..
01-27-2021 12:25 AM
In addition to what @Rob Ingram mentioned, Duo MFA for FTD-based remote access VPN managed with FMC works perfectly fine. My company and several of myour customers use it.
01-27-2021 01:17 AM
Thanks Rob and Marvin.
i was wondering if i can restrict the RA VPN users to access the anyconnect client only by the registered domain PCs(like MAC addresses or hostname etc) so in that case can i save the money(for DUO) and secure the connection also, even if username and password is stolen still correct device would be required to login via ANyconnect.
Hope i wrote correct what i meant... so is it possible ?
01-27-2021 08:47 PM
We have a single ISE node in our infra working to provide wireless 1) Guest access and 2) wireless Staff access for domain PCs to join via machine authentication and PEAP. However its a single point of failure.
I want to know if its possible to bring the RA VPN users via ISE and authenticate their PCs whether its domain PCs and then allow access to the ANyconnect client to connect the VPN ?
Secondly, if we go for this do we require any licenses on ISE (like VPN on ISE license) etc.
What you guys suggest for my current environment considering single ISE node and presently the FMC and FTD has no contact with ISE whatsoever...Pls guide
01-27-2021 01:29 AM - edited 01-27-2021 02:18 AM
If you spend even more money by purchasing ISE, you can restrict the users from authorizing if they are connecting from a device that isn't a profiled endpoint. Regardless DUO is licensed per user, if you have 100 users requiring remote access, then you purhcase 100 licenses. If a users username/password and device were stolen, they still need the DUO passcode to be able to connect to the VPN.
01-30-2021 11:53 PM
is there any way we can check the registrykey like its available in Fortigate FWs to verify the device before connecting to RA VPN so in this way we can prevent personal devices to connect and allow only domain PC etc.
01-31-2021 12:05 AM
If you use ISE for authorisation, you can performance posture checks. As part of that you can check to determine whether the correct registry key is present on the computer and permit/deny access accordingly.
This is the registry key to check:-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain
Value=domainname.local
01-31-2021 12:17 AM
Thanks Rob,
We do not have ISE appliance. is there any other way we can achieve via FMC or FTD?
01-31-2021 12:30 AM
Not with the FMC without ISE no. If you were managing the FTD locally using FDM you could configure DAP, but this is not fully developed yet.
In your situation if you deployed a certificate to your domain computers you could ensure only these computers would be able to authenticate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide