Skip navigation
Closeup of a woman's hands working at a laptop, overlaid with a color filter of Duo green
Product & Engineering

Revolutionizing Cisco VPN Access with Duo SSO

  • Secure Cisco VPN logins in less than an hour

  • Authenticate users in seconds

  • Verify user + device posture

  • Block unmanaged devices

  • Mitigate modern security threats with phishing-resistant authentication

Join the thousands of Cisco firewall customers who take advantage of protecting Cisco VPN logins with Cisco Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Cisco Duo is a leading access management platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

10 reasons to move to Duo SSO with Cisco VPN

The following functionality is only available using the Duo Universal Prompt and protecting Cisco Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

  1. Passwordless — Duo Passwordless uses passkeys and platform authenticators, security keys from access devices, or Duo Push to secure application access without passwords, reducing the risk surface and administrative burden associated with passwords while improving the user experience

  2. Verified Duo Push — Asks users to verify push requests to mitigate the risk of push harassment attacks

  3. Trusted Endpoints — Block untrusted/unwanted devices from accessing your corporate VPN

  4. Risk-Based Authentication —This reduces user friction and improves security by analyzing risk signals and automatically stepping-up authentication only when necessary

  5. Built-In Security — Universal Prompt utilizes OpenID Connect and moves away from using iFrames, which eliminates the need for additional security configurations (allowed hostnames) that is recommended with the Traditional Prompt

  6. Self-Service Portal — Admins can securely enable the new Duo hosted Self-service portal by enforcing policies and requiring strong authentication, empowering users to self-enroll and manage their authentication devices

  7. Improved User Experience — Universal Prompt is a major redesign with new styling and workflow-based authentication experience, such as last-used authentication method and more

  8. Localization — Includes support for 15 languages, with more to come

  9. Customization and Branding — Allows admins to give users a familiar and trusted experience

  10. Accessibility — Makes strong authentication inclusive and easy for every user. Universal Prompt is designed and tested to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level


Cisco VPN User Login Experience: SAML 2.0 vs. RADIUS

Cisco Adaptive Security Appliance (ASA) and Cisco Firepower are two of the most common VPN solutions on the market today. Given such, Cisco Duo hosts a wide range of customers leveraging the Duo Trusted Access platform to protect their Cisco Secure Client logins. Today, many of these customers utilize an aging legacy integration that leverages the RADIUS protocol. This integration provides an end-user experience that is an automatic Duo Push or Duo Phone Callback (if enabled by a Duo Administrator) but leaves a lot to be desired (and lacks the ability to deploy modern access & security policies to all logins).

Cisco VPN Radius Experience:


Instead of the legacy experience, you have the power to simplify trusted access across your organizations by moving from a legacy integration method like radius to Duo SSO. Duo SSO enables organizations to deploy simple, but granular zero trust security policy per app or group including passwordless, phishing resistant authentication (verified push and/or passkeys), device trust (trusted endpoints), risk-based authentication (RBA), contextualized access policies, user-self remediation and much more.

Below is an example of the Cisco Duo SSO experience for Cisco VPNs:


The experience and capabilities enabled by a modern Duo SSO protected login are highlighted in the section below.

How to protect & modernize Cisco VPN logins with Duo

Review prerequisites for Cisco ASA or Firepower.

  1. Configure Duo Single Sign-On

  2. Connect Cisco ASA or Cisco Firepower via SAML 2.0 to Duo SSO

  3. Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group

  4. Validate the sign-in experience and test with a pilot group

Ramp up security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for Microsoft 365, Citrix NetScaler, Palo Alto Networks, SonicWall, SalesForce, Cisco Webex, and many others.

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people, and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.