Showing results for 
Search instead for 
Did you mean: 

EOL for Duo LDAP cloud service and Migration Path


А couple of weeks ago I received a notification that the EOL for Duo LDAP cloud service (LDAPS) is approaching.
I found a migration path that solves the problem on the site. RADIUS 2FA for Cisco ASA SSL VPNs | Duo Security
but I have a couple of questions that are not very clear to me after reading and watching the video.
Is radius a necessary step?
In the video example the radius is used as a protocol, in the ASA setting it is selected in the drop-down menu for AAA server group.

If my environment don’t have radius, is AD enough?

additional: the part that confuses me

“This Duo proxy server will receive incoming RADIUS requests from your Cisco ASA SSL VPN, contact your existing local LDAP/AD or RADIUS server to perform primary authentication if necessary, and then contact Duo’s cloud service for secondary authentication.”

2 Replies 2

Cisco Employee
Cisco Employee

Hi stefan, Welcome to the Duo Community.
AD is indeed enough and you do not need a RADIUS server.

The proxy will act as a RADIUS server and receive RADIUS authentications from your ASA using its [radius_server_auto] section.

These authentications will be translated to LDAP and be sent to your AD for username and password verification using the [ad_client] section.

The flow looks like this:

ASA --RADIUS–> Proxy --LDAP–> AD

So, the example in video is 1 on 1 how to configure it / migrate on the environment where I only have AD, and want to migrate to DUO MSP?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links