Please refer to the Duo for Cisco AnyConnect VPN with ASA or Firepower overview to learn more about the different options for protecting ASA and Firepower VPN logins with Duo MFA.
You can also learn more in this knowledge base article which compares the ASA configurations.
The Duo "IPsec VPN Instructions" supports push, phone call, or passcode authentication and protects connections that use Cisco's desktop VPN client with IKE encryption instead of SSL VPN.
Yes, Duo authentication is compatible with the desktop and mobile AnyConnect clients.
You'll see a "Second Password" field when using AnyConnect — this field will accept a Duo passcode (generated with Duo Mobile or sent via SMS). You can also type push to use Duo Push, sms to get a new batch of SMS passcodes, or phone to authenticate via phone call. Also see the Logging In With the Cisco AnyConnect Client page in the user guide.
Yes. Just upload the proper AnyConnect client .pkg file to your Cisco ASA (Remote Access VPN → Network (Client) Access → AnyConnect Client Software.)
Yes, you can customize the Second Password Field by:
The customization is not updated until the client is restarted and makes another successful connection.
To monitor ASA activity during logon attempts, connect to your device using the ASDM utility and go to Monitoring → Logging → Real-Time Log Viewer. Set logging to a higher level (like "Debugging"" or "Informational") and click the View button. Then, attempt to authenticate again and watch the real-time log to see your authentication activity.
To view previously captured events, go to Monitoring → Logging → Log Buffer. Select a "Logging Level" and click the View button.
Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.
To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication. In this scenario, your authproxy.cfg file would look something like this:
[duo_only_client] [radius_server_duo_only] ikey=DIXXXXXXXXXXXXXXXXXX skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_host=api-XXXXXXXX.duosecurity.com failmode=safe radius_ip_1=188.8.131.52 radius_secret_1=thisisaradiussecret client=duo_only_client
An issue with the AnyConnect client causes it to ignore the timeout setting and use the 12 second default when the fully qualified host domain name (FQDN) of the Cisco ASA is not present in the AnyConnect client profile. This may cause the AnyConnect client to disconnect during the two-factor authentication attempt (Cisco forum link).
To fix this, add a <ServerList> section to the AnyConnect profile as shown in the example below. If your AnyConnect profile already contains a server list section, replace the <HostAddress> IP address or non-qualified host name of your ASA with the fully qualified domain name as shown in the example.
<ServerList> <HostEntry> <HostName>ASA-01 </HostName> <HostAddress>asa-01.cisco.com </HostAddress> </HostEntry> </ServerList>
See the instructions for using the ASDM AnyConnect Client Profile Editor and configuring the Server List at the Cisco site for more information.
While the Cisco forum link above references AnyConnect 2.x versions, the issue persists in later versions. AnyConnect version 4.8.02045, released in February 2020, increases the default timeout from 12 to 30 seconds. See the AnyConnect release notes for details.