This blog post is the first in a three-part series on how Duo’s MFA integrates with Cisco AnyConnect VPN.
A Duo Security push will automatically be sent to your default Duo device. For any other method for authentication, use the table below. With successful authentication, the Cisco AnyConnect application displays the message Connected to VPN Pool at the top of the screen. To disconnect and end the connection, click Disconnect.
Duo for AnyConnect VPN Duo's multi-factor authentication (MFA) is the easiest MFA solution to protect your Cisco AnyConnect VPN. Duo integrates seamlessly with Cisco's AnyConnect VPN, providing an additional layer of security for your remote access. Or is this the end of the train? The ability to manage everything in one spot was key with Cisco, otherwise I don't see any advantage over HPE or SuperMicro. I just can't imagine relying on Cisco's cloud infra to manage our local hardware. Suddenly a Cisco outage is an outage for a LOT of companies.
Organizations are facing a major technology shift. They’re in the process of moving many of their on-premises workloads and applications to the cloud. But the transition to cloud isn’t as simple as flipping a switch – it takes time and strategy to ensure it goes smoothly.
Logging In With the Cisco AnyConnect Client. Depending on how your company configured Duo authentication, you may or may not see a “Passcode” field when using the Cisco AnyConnect client. Single Password with Automatic Push. If AnyConnect only prompts for a password, like so. Duo integrates with your Cisco ASA or Firepower VPN to add two-factor authentication to AnyConnect logins. Duo can add two-factor authentication to ASA and Firepower VPN connections in a variety of ways. Learn more about these configurations and choose the best option for your organization. Cisco ASA with AnyConnect.
Many Duo customers run hybrid environments in which they have a mix of applications in the cloud and on-premises. They’ve moved major applications such as email, file sharing, collaboration and marketing automation to the cloud, while on-premises applications are accessible via a virtual private network (VPN).
For IT admins, your goal becomes ensuring productivity by enabling access all applications – on-premises and in the cloud – from anywhere at any time, while also ensuring that access is secure and meets all necessary compliance regulations. Adding Duo’s multi-factor authentication (MFA) to VPN solutions, like Cisco AnyConnect, enables secure access to all applications.
Why Protect Cisco AnyConnect with Duo’s MFA?
Security research shows attackers continue to use credentials compromised via phishing, brute force and other attack methods to gain unauthorized access to internal business applications. If attackers steal VPN credentials, they could potentially access corporate applications and data, which could lead to catastrophic data breaches.
Meanwhile, for some organizations, securing VPN access is a data regulatory compliance requirement – PCI DSS 3.2 requires organizations with cardholder data environment (CDE) to secure all remote access with MFA, and several other compliance regulations, such as HIPAA and NIST 800-171, have similar requirements regarding MFA. Duo’s MFA helps you instantly reduce the risk of a data breach while also helping you quickly and easily meet compliance requirements.
From a security risk perspective, securing access to your VPN is just one of many proactive steps you can take. As workloads and applications increasingly run in the cloud, you want to ensure a consistent level of access security for all applications. With Duo, you can easily add MFA to cloud apps such as Office 365, AWS, Google, Workday, Box and more. There are no additional steps for end users. If they are already enrolled into Duo’s MFA service, they will be prompted to authenticate when they log in to access their cloud applications. After Duo’s MFA is set up with on-premises and cloud applications, you can also take advantage of its rich device telemetry, which provides visibility into the security posture of all user devices, such as laptops, desktops and mobile devices, including all personal devices (bring your own device – BYOD) that access applications.
Along with user authentication, Duo provides visibility into all corporate-owned and BYO devices without the use of agents. Since there are no device agents involved, Duo is easier to deploy and more user friendly. With complete device visibility, you can determine risks due to personally-owned devices in your environment. For example, one enterprise healthcare customer discovered 30,000 devices that they were previously unaware of had been accessing their environment – and nearly 50 percent of those devices didn’t meet their company’s security and compliance requirements.
Clear Cisco Vpn Cache
You can leverage the user and device data Duo collects to enforce security policies based on the risk level of data and applications. For example, you can enforce a security policy for VPNs to allow access only from specific locations, such as United States, and only from devices running up-to-date software. With Duo, you have a high level of assurance before granting a user and their device access to applications. Many of our customers also call this type of security zero trust or the software-defined perimeter (SDP). Cisco can help accelerate your zero trust journey with Cisco Trusted Access.
Learn more about the benefits of protecting your Cisco AnyConnect with Duo’s MFA, and sign up for a 30 day free trial.
Join our webinar on February 21st @ 10:00am PT to learn more. Register here.
Introduction
This document describes how to configure a Duo Lightweight Directory Access Protocol (LDAP) identity source object through REST API and using this object in the Remote Access VPN (RA VPN) connection profile as a secondary authentication identity source on Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Basic knowledge of RA VPN configuration on FDM.
- Basic knowledge of REST API and FDM REST API Explorer.
- Cisco FTD running version 6.5.0 and above managed by Cisco Firepower Device Manager (FDM).
- FTD registered with the smart licensing portal with Export Controlled Features enabled (in order to allow RA VPN configuration tab to be enabled).
- AnyConnect Licenses enabled (APEX, Plus or VPN-Only).
Components Used
The information in this document is based on these software and hardware versions:
- Cisco FTD running version 6.5.0-115
- Cisco AnyConnect Secure Mobility Clientversion 4.7.01076
- Postman or any other API development tool
- Duo web account
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
From FTD version 6.5, you can use Duo LDAP Identity Source object directly in the RA VPN profile for secondary authentication with the help of REST API.
Prior to this version, two-factor authentication was supported only via Duo Proxy and RADIUS.
Authentication Flow
Authentication Flow Explained
- The user initiates a remote access VPN connection to the FTD and provides a username and password for Primary Authentication.
- FTD sends the authentication request to the primary authentication server.
- Once the primary authentication is successful, FTD sends a request for secondary authentication to the Duo LDAP server.
- Duo then authenticates the user, depending on the input for secondary authentication (push, passcode, phone).
- Duo responds to the FTD to indicate whether the user authenticated successfully.
- If the secondary authentication was successful, the FTD establishes a remote access VPN connection.
Configure
In order to complete the configuration take into consideration these sections:
Configuration on Duo Administration Portal
Step 1. Login to your Duo account (https://admin.duosecurity.com).
Navigate to Applications > Protect an Application.
Step 2. Select your Authentication Application as Cisco ASA SSL VPN.
Integration Key, Secret Key, and API hostname are used while Duo LDAP object is added through the REST API.
Note: Do not select Cisco Firepower Threat Defense as it is used to add Duo as a Proxy Server.
Step 3. Create a username and activate Duo Mobile on the end device.
Add yourself to the Duo cloud administration webpage. Navigate to Users > Add users
Note: Ensure the end-user has the Duo app installed on.
Step 4. Add your phone number for the automatic generation of code.
Step 5. Select ActivateDuo Mobile.
Step 6. Select Generate Duo Mobile Activation Code.
Step 7. Select Send Instructions by SMS.
Step 8. In order to enroll in the Duo app, click on the link in the SMS. Your account details can be seen in the Device Info section, as shown in the image.
Configuration on POSTMAN
Step 1. Launch the API Explorer of the FTD on a Browser Window.
Navigate to https://<FTD Management IP>/api-explorer
For the configuration displayed the following URL is used: https://10.197.224.99/api-explorer This contains the entire list of API available on the FTD.
It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which is supported by the FDM.
Note: In this example, we have used POSTMAN as the API.
Step 2. Add a Postman collection for Duo.
Give a name for the collection.
Edit the Authorization tab and update the type to OAuth 2.0
Cisco Duo Anyconnect Login
Step 3. Add a new request Auth to create a login POST request to the FTD in order to get the token to authorize any POST/GET requests.
The Body of the POST request must contain these:
| Type | raw - JSON (application/json) |
| grant_type | password |
| username | Admin Username in order to log in to the FTD |
| password | The password associated with the admin user account |
POST Request : https://<FTD Management IP>/api/fdm/latest/fdm/token
The Body of the Response contains the access token which is used in order to send any PUT/GET/POST requests from the FTD.
Step 4. Create Get Interface information request to get the interface details through which Duo would be reachable.
The Authorization tab must contain the following for all subsequent GET/POST requests:
| Type | Bearer Token |
| Token | The access token received by running the login POST Request |
The Body of the Response contains the interface information (version, name, id, type).
Step 5. Add CreateDuoLDAPIdentitySource request to create the Duo LDAP object.
The body of the POST request must contain these:
| Name | Name for Duo LDAP object |
| apiHostname | Duo hostname received from Duo admin portal |
| port | 636 |
| timeout | 60 seconds |
| integrationKey | ikey received from Duo admin portal |
| secretKey | skey received from Duo admin portal |
Note: Timeout is added as 60 seconds for the purpose of this document. Please add the settings as per your network environment.
The URL and sample body for POST request can be copied from the API explorer .
POST Request : https://<FTD Management IP>/api/fdm/latest/object/duoldapidentitysources
The Body of response shows Duo configuration ready to be pushed to the device.
Configure FDM
Step 1. Verify Device is registered to Smart Licensing.
Step 2. Verify AnyConnect licenses are enabled on the device.
Step 3. Verify Export-controlled Features is enabled in the token.
Add Duo Certificate on FDM
You need to download the CA certificate from the Duo website and add it to FDM in-order for LDAP over SSL to work.
Step 1. Login to FDM and then navigate to Objects > Certificates > Add Trusted CA Certificates.
Step 2. Provide a name for certificate object and add the CA certificate downloaded from https://duo.com
Step 3. Deploy the certificate to the device.
Create Local User for Primary Authentication
Step 1. Navigate to Objects > Users and click on + to add a new user., as shown in the image.
Step 2. Add the username and password details and click on OK, as shown in the image.
Note: This document assumes that the RA VPN is already configured. Please refer to the following document for more information on How to configure RA VPN on FTD managed by FDM.
Binding Duo object to RA VPN on FDM
Step 1. Bind the Duo object as the secondary authentication method in Remote Access VPN.
Navigate to Remote Access VPN and edit the concerned Connection Profile, as shown in the image.
Select LocalIdentitySource as Primary Identity Source and Duo as Secondary Identity Source. Click on Next to close the Remote Access VPN Wizard.
Note: Use Primary username for Secondary login is checked under Advanced option for the purpose of the document. If you need to use different usernames for Primary and Secondary authentication, you can uncheck it.
Step 2. Deploy the configuration to the device.
Pending changes show Local user, Duo object and Secondary Authentication Settings ready to be pushed.
Verify
In order to test this configuration, provide the local credentials in Username and Password. For Second Password type push, phone, passcode to determine kind of notification to be sent by Duo. Here push method is used.
You must get a Duo PUSH notification on your enrolled device for Two Factor Authentication (2FA). Once the push request is approved anyconnect user gets connected.
Open Anyconnect GUI >Settings > Statistics and verify the connection.
Verify the user connection on FTD CLI using the show command show vpn-session anyconnect
Troubleshoot
Verify if Duo object is pushed from REST API by navigating to Objects >Identity Sources
Cisco Duo Anyconnect Install
Verify the aaa-server configuration and secondary authentication FTD CLI using the show command show run aaa-server <name> and show run tunnel-group
Debug Commands
Note: Refer to Important Information on Debug Commands before you use debug commands.
You can set various debug levels. By default, level 1 is used. If you change the debug level, the verbosity of the debugs might increase. Do this with caution, especially in production environments.
These debugs on the FTD CLI would be helpful in troubleshooting AnyConnect connection for Duo.