AnyConnect: ‘Quick and Dirty’ Duo 2FA

KB ID 0001701

Problem

Normally if I were deploying Duo 2FA with AnyConnect I’d deploy a Cisco RADIUS VPN on my LAN, (usually on my Duo Authentication Proxy). See the following article;

AnyConnect: Enable Duo 2Factor Authentication

However, last time I set this up, a colleague said ‘Oh by the way, you don’t need to do that, you can just point the firewall directly at Duo‘. I was initially skeptical but I tried it, and it worked. I thought no more about it until this week when another colleague asked me to help him setup Duo for AnyConnect.

As you can see the firewall queries Duo using LDAPS, but the Duo product I’m using is called ‘Cisco RADIUS VPN’. This makes my networking OCD itch tremendously! (RADIUS and LDAPS are completely different protocols!) But it works, so here we go.

Solution

Note: For this solution you don’t even need to sync your users to Duo, (but it’s OK if you do)! As long as the users exist there.

With Duo, you need to select ‘protect an application‘ and select ‘Cisco RADIUS VPN‘. If you are unfamiliar with Duo you need to take a copy of the Integration Key, the Secret Key and the API Hostname. (Note: Don’t try using these ones, they have been changed!)

On the Firewall > Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups > Add > Call it ‘DUO-EXTERNAL’ > Select LDAPS > OK.

With your DUO-EXTERNAL group selected > In the bottom window > Add.

  • Interface Name: {Your outside interface name}
  • Servername: {Your Duo API Hostname}
  • Timeout: 60 
  • Enable LDAP over SSL: Enabled
  • BaseDN: dc={Your Integration Key},dc=duosecurity,dc=com
  • Naming Attribute: cn
  • Login DN: dc={Your Integration Key},dc=duosecurity,dc=com
  • Login Password: {Your Secret Key}

OK > Apply.

TO TEST: Press Test > Select Authentication > Use the username displayed in Duo > Type push into the password box, and your phone should then prompt for 2fa authentication. (If it fails: Make sure the time is correct on the ASA, and at least do some debugging before posting below!)

Now either create a new AnyConnect profile, and use this new AAA method, or simply change the AAA method for an existing AnyConnect profile, (like below).

A word of warning, when I did this, (both in production and on my test ASA,) I got a strange error, I’ve documented that and the fix, below.

AnyConnect: Unauthorized Connection Mechanism

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

4 Comments

  1. Hi,

    Great article. I have this functioning and also used this article alongside yours: (https://duo.com/docs/ciscoasa-ldap), however only one thing is not working and I cannot get to bottom of it.

    Essentially as long as I have the Anyconnect client installed (on mobile or desktop\laptop), 2FA works, but if I got to the browser\webvpn portal, I am not getting the DUO splash/enrollment/login page after login, in fact it just stays on the ASA SSL login page.

    Any ideas?

    Post a Reply
  2. Hi,

    (Resolved), I was using the modified sign-in page as specified in the Duo article ‘Modify the Sign-in Page’. I removed this and all is good, albeit that instead of the DUO splash I get the ‘Second Password’ option on the login screen

    Great article. I have this functioning and also used this article alongside yours: (https://duo.com/docs/ciscoasa-ldap), however only one thing is not working and I cannot get to bottom of it.

    Essentially as long as I have the Anyconnect client installed (on mobile or desktop\laptop), 2FA works, but if I got to the browser\webvpn portal, I am not getting the DUO splash/enrollment/login page after login, in fact it just stays on the ASA SSL login page.

    Any ideas?

    Post a Reply
  3. Are there any extra steps involved for this, or anything special on the Duo side? I tried doing just the LDAP auth as primary authentication for Anyconnect and it fails, the Duo portal just says Invalid Passcode and the user gets re-prompted. I can’t any documentation on Duo’s site about using only DUO LDAP for primary auth, all their articles mention that a different identity source needs to handle primary auth,

    Post a Reply
    • No as long as the username and password appears in the Duo portal.

      Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *