Showing results for 
Search instead for 
Did you mean: 

DUO MFA for ASA Admin/management

Level 1
Level 1

We have an old Cisco ASA (5508) which has Duo configured for AnyConnect VPN, but using local accounts ONLY for Admin/Management. We are moving to a new FirePower device (in ASA mode) and want to enable some sort of SSO or MFA for Administrators using ASDM and SSH.

I've tried setting up Duo in a similar way as our previous Anyconnect (using Authentication Proxy Server), but while it authenticates domain users, I cannot find a way to only allow members of a specific AD group. I've been able to do this using full-scale RADIUS (Microsoft NPAS) but want to then pass this through Duo for MFA.

I've read an old post (c.2019) that says Duo's RADIUS implementation cannot determine group this still the case?

Can anyone recommend the best way to achieve the following:

Restrict admin/management of a Firepower FPR1140 device using ADSM & SSH, to a specific AD user group and require MFA.

4 Replies 4

In duo, create a new application with the appropriate limits rules etc

On the auth proxy create a new radius server on different port, pointed at the new application via its ikey/key

On new ASA create a new AAA server config, pointed at the new Duo server.

You could also do the auth proxy and ASA AAA config using LDAP

Thanks Ken,  I've been struggling with this for a while and have already tried various methods, first of which was AAA using LDAP as it sounded like it should work. However, I could not get it to work as expected. The way I'd configured it, it seemed to allow any valid domain member to authenticate, regardless of whether or not they were in my specified FWAdmins group in AD. Then I read somewhere that LDAP can only be used for VPN rather than local device management. Don't know whether this was an old page, or whether it's just bad info. 

You can use LDAP for AAA to the Firewall... I have my old 5525s pointed at LDAP right now.

The trick here is to put the limits in DUO in the Application configuration (only allow the FWAdmins group) .
You could also limit it via a second [ad_client] section and use an LDAP filter there so only the FWadmins group can auth via it.


ikey=DIXXXXXXXXXXXXXXXXXX <= points at your fwadmin application in the Duo Admin center that has the group limitation on it.


This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.

Cisco Employee
Cisco Employee

To get group memberships you either have to use ldap_server_auto with ad_client (as another poster suggested) or radius_server_whatever with radius_client. A mixed config of radius_server_whatever with ad_client cannot get the group memberships.

So, if you already have NPS then point radius_client in authproxy.cfg to your NPS server, and specify pass_through_all=true in both the radius_client and radius_server_whatever sections. That way additional RADIUS attributes returned by AD via NPS (like group memberships) get passed back through the Duo proxy to the NGFW.

The advantage of radius+radius over ldap+ldap is that ldap doesn't report the authenticating client's IP address but radius does (assuming the radius access-request includes an IP value for calling_station_id). So, the RADIUS auths will have location information in the Duo admin panel or at least a private network IP, but LDAP auths have no location info ( IP).

Duo, not DUO.
Quick Links