Video Demonstration: Add Two-Factor Authentication to Your Cisco VPN in Only 5 Minutes
Duo makes it easy to add strong two-factor authentication to your Cisco VPN. How easy? Our latest demo video walks you through installation and setup in less than 5 minutes. The video demonstrates how to use Duo’s drop-in integration package to secure a Cisco ASA VPN.
Here's the minute by minute rundown of how to add Duo two-factor authentication to your Cisco VPN
To get started, the first step is to log into your web-based Duo Admin Interface.
Once there, click on the “Integrations” tab in the left column. Click on the “New Integration” button and set the “Integration Type” to “Cisco SSL VPN” I’ll give it a name of “Duo Demo” for this tutorial. Then click the “Add Integration” button to save it.
You’ve created the VPN integration in Duo, so now we need to configure it. You’ll be directed to a page to “download the Duo Cisco package”, which you can do by clicking the link at the top of the page. Extract the downloaded zip file so that the file is ready for use. Then click on the “Cisco Integration Instructions”, which gives step-by-step directions on how to set up Duo on your Cisco VPN, as well as the provided settings for “LDAP Server Name”, “Base DN” and “Login DN” that will be used for the integration.
Now, let’s log into our Cisco ASA ASDM and configure the connection we’re protecting with Duo Security. Once you are logged in, select the “configuration” tab at the top of the page, then on the “Remote Access VPN” tab. Click the drop-down arrows for “Clientless SSL VPN Access” and then “Portal”. Select “Web Contents” and then pick “Import”. Click “Browse Files” and select the “Duo Cisco Package” downloaded earlier. Under “Require authentication to access its content?” select “No” and confirm the Web Content Path reads “DUO-Cisco-v1.js”. Click “Import Now”. “OK”. Then “Apply”.
Now click on “Customization” and select the “customization object” that you would like to modify.
We are going to click on the default customization object and click edit. Click on the “Title Page” which is nested under the “Logon Page”. In the “Text:” field we are going to copy the script provided in the Duo Security documentation. Click “OK”. Then Click “Apply”
Now we are going to add the Duo Security authentication service. Click the drop-down arrow for “AAA/Local Users” and select “AAA Server Groups”. Create a new “AAA Server Group” by clicking “add”. We’ll call the “AAA Server Group DuoDemo”. Select “LDAP” from the “protocol” drop-down and click ok. Click Apply. Now highlight the newly created “AAA Server Group” and on the bottom right click “add” under “Servers in the selected group”.
Select “Outside” for “Interface Name”. Now copy the “API Hostname” from the Duo Security Cisco documentation for the “Server Name”. Set the timeout to “60 seconds”. Next select the checkbox to “enable LDAP over SSL”. Now copy the Base DN and the Login DN from the Duo Security Cisco documentation. For the “Naming Attribute” type “cn”. Next we will copy the secret key from the Duo Security Admin Panel into the “Login Password” field. Click Ok. Then Apply.
Now Navigate using the “Client SSL VPN Access” drop-down arrow to “Connection Profiles”. Select the desired profile that you would like to modify and click “edit”. Click the Advanced Drop-down arrow and click “Secondary Authentication”
Select the newly created server group DuoDemo. Make sure you check the box “use primary username (Hide secondary username on login page)”. Click ok. Click Apply. Then Click Close.
If you are using “Cisco Anyconnect” then we will also need to modify the AnyConnect client timeout. Click the drop-down arrow next to “Network (Client Access)” and click “AnyConnect Client Profile”. Select the profile in use and click “edit”. Select “Preferences (Part 2)”, scroll to the bottom of the page and change the “Authentication Timeout” to 60 seconds. Click Ok. Then Click Apply.
The integration is now completed and we can test out the login experience with Duo Two Factor Authentication. Start by going to the URL for the connection profile protected by Duo and enter the Username and Password. Once confirmed, Duo will prompt the user to choose their second factor. A user simply chooses either Duo Push, Phone Call or enter a Passcode in the passcode field. Let’s select Duo Push, the most secure authentication method available today.
The user will receive a prompt on their phone to authenticate, with contextual information for the request. This will include the username, system being accessed, IP address with rough geolocation, and the time of the request. Click the green button for accept, and you’re logged in!
Duo's two-factor authentication secures VPNs in just minutes.