Skip navigation

Duo Security is now a part of Cisco About Cisco

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Contact Sales Free Trial

Try Duo's trusted access solution now.

Free Trial
Documentation

Duo for Cisco AnyConnect VPN with ASA or Firepower

Last Updated: September 18th, 2019

Contents

Related

Duo integrates with your Cisco ASA or Firepower VPN to add two-factor authentication to AnyConnect logins.

Duo can add two-factor authentication to ASA and Firepower VPN connections in a variety of ways. Learn more about these configurations and choose the best option for your organization.

Cisco ASA with AnyConnect

ASA SSL VPN using SAML

Choose this option for the best end-user experience for ASA.

With this configuration, end users experience the interactive Duo Prompt when using the Cisco AnyConnect Client for VPN. The interactive MFA prompt gives users the ability to view all available authentication device options and select which one to use, self-enroll new or replacement 2FA devices, and manage their own registered devices.

This configuration also lets administrators gain insight about the devices connecting to the VPN and apply Duo policies such as device health requirements or access policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client.

Primary authentication and Duo MFA occur at the identity provider, not at the ASA itself.

Read the deployment instructions for ASA with SAML

Requirements:

  • Duo Access Gateway or a third-party SAML IdP with Duo MFA (AD FS, Azure AD, etc.)
  • Cisco ASA versions 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release
  • AnyConnect 4.6 or later for normal authentication (Trusted Endpoints has specific AnyConnect version requirements. See the ASA with SAML document for details.)

Network Diagram:

Cisco ASA with Duo SSO

  1. VPN connection initiated to Cisco ASA, which redirects to the Duo Access Gateway for SAML authentication
  2. AnyConnect client performs primary authentication via the Duo Access Gateway using an on-premises directory (example)
  3. Duo Access Gateway establishes connection to Duo Security over TCP port 443 to begin 2FA
  4. User completes Duo two-factor authentication.
  5. Duo receives authentication response and returns that information to the Duo Access Gateway
  6. Duo Access Gateway returns a SAML token for access
  7. Cisco ASA VPN access granted

ASA SSL VPN using RADIUS

Choose this option for ASA and AnyConnect deployments that do not meet the minimum product version requirements for SAML SSO. With this configuration, end-users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client or clientless SSL VPN via browser. Users may append a different factor selection to their password entry.

This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client.

Read the deployment instructions for ASA with RADIUS

Requirements:

Network Diagram:

Cisco ASA with Duo RADIUS

  1. Primary authentication initiated to Cisco ASA
  2. Cisco ASA sends authentication request to the Duo Authentication Proxy
  3. Primary authentication using Active Directory or RADIUS
  4. Duo Authentication Proxy connection established to Duo Security over TCP port 443
  5. Secondary authentication via Duo Security’s service
  6. Duo authentication proxy receives authentication response
  7. Cisco ASA VPN access granted

ASA SSL VPN using LDAPS

When using this option with the clientless SSL VPN, end users experience the interactive Duo Prompt in the browser. The AnyConnect client does not show the Duo Prompt, and instead adds a second password field to the regular AnyConnect login screen where the user enters the word “push” for Duo Push, the word “phone” for a phone call, or a one-time passcode.

This configuration does not support IP-based network policies or device health requirements when using the AnyConnect client.

Read the deployment instructions for ASA with LDAPS

Requirements:

  • Cisco ASA firmware version 8.3 or later

Network Diagram:

Cisco ASA with Duo LDAPS

  1. Cisco SSL VPN connection initiated
  2. Primary authentication to on-premises directory
  3. Cisco ASA connection established to Duo Security over TCP port 636
  4. Secondary authentication via Duo Security’s service
  5. Cisco ASA receives authentication response
  6. Cisco SSL VPN connection established

Cisco Firepower with AnyConnect

FTD VPN using RADIUS

Choose this option for Cisco Firepower Threat Defense (FTD) Remote Access VPN. With this configuration, end-users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client or clientless SSL VPN via browser. Users may append a different factor selection to their password entry.

This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client.

Read the deployment instructions for Firepower

Requirements:

  • Duo Authentication Proxy
  • Cisco FTD version 6.3.0 or later managed by FMC version 6.3.0 or later

Network Diagram:

Cisco FTD with Duo RADIUS

  1. Primary authentication initiated to Cisco FTD
  2. Cisco FTD sends authentication request to the Duo Authentication Proxy
  3. Primary authentication using Active Directory or RADIUS
  4. Duo Authentication Proxy connection established to Duo Security over TCP port 443
  5. Secondary authentication via Duo Security’s service
  6. Duo authentication proxy receives authentication response
  7. Cisco FTD VPN access granted

Cisco Identity Services Engine with AnyConnect

Cisco ISE using RADIUS

Choose this option for Cisco Identity Services Engine. With this configuration, end-users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client. Users may append a different factor selection to their password entry.

This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client.

Read the deployment instructions for ISE

Requirements:

  • Duo Authentication Proxy
  • Cisco ISE 2.4 or later

Network Diagram:

Cisco ISE with Duo RADIUS

  1. Primary authentication initiated to Cisco ISE
  2. Cisco ISE sends authentication request to the Duo Authentication Proxy
  3. Primary authentication using Active Directory or RADIUS
  4. Duo Authentication Proxy connection established to Duo Security over TCP port 443
  5. Secondary authentication via Duo Security’s service
  6. Duo authentication proxy receives authentication response
  7. Cisco ISE access granted