Skip navigation
Documentation

Duo Two-Factor Authentication for Cisco VPNs - FAQ

Last Updated: April 29th, 2020

What are the differences between the different Duo Cisco deployment configurations?

Please refer to the Duo for Cisco AnyConnect VPN with ASA or Firepower overview to learn more about the different options for protecting ASA and Firepower VPN logins with Duo MFA.

You can also learn more in this knowledge base article which compares the ASA configurations.

The Duo "IPsec VPN Instructions" supports push, phone call, or passcode authentication and protects connections that use Cisco's desktop VPN client with IKE encryption instead of SSL VPN.

Does the SSL VPN configuration Duo work with the Cisco AnyConnect client?

Yes, Duo authentication is compatible with the desktop and mobile AnyConnect clients.

Cisco AnyConnect

You'll see a "Second Password" field when using AnyConnect — this field will accept a Duo passcode (generated with Duo Mobile or sent via SMS). You can also type push to use Duo Push, sms to get a new batch of SMS passcodes, or phone to authenticate via phone call. Also see the Logging In With the Cisco AnyConnect Client page in the user guide.

If your users will only use AnyConnect, see Enrolling Users to learn how to use bulk enrollment to help with enrolling users.

Does Duo's SSL VPN configuration support the Cisco AnyConnect client version 3.1 on OS X?

Yes. Just upload the proper AnyConnect client .pkg file to your Cisco ASA (Remote Access VPN → Network (Client) Access → AnyConnect Client Software.)

Can I customize the Cisco AnyConnect client "Second Password:" Field?

Yes, you can customize the Second Password Field by:

  1. From the Cisco ASDM select Network (Client) Access AnyConnect CustomizationGUI Text and Messages.
  2. Click Add and select the desired language that you would like to modify.
  3. Under msgid "Second Password" add the desired text to the msgstr "here" field

The customization is not updated until the client is restarted and makes another successful connection.

Cisco AnyConnect Customization

Is there any logging on the ASA to help troubleshoot authentication?

To monitor ASA activity during logon attempts, connect to your device using the ASDM utility and go to MonitoringLoggingReal-Time Log Viewer. Set logging to a higher level (like "Debugging"" or "Informational") and click the View button. Then, attempt to authenticate again and watch the real-time log to see your authentication activity.

To view previously captured events, go to MonitoringLoggingLog Buffer. Select a "Logging Level" and click the View button.

Can I use Duo to protect ASA local account logins?

Absolutely! To protect users local to the ASA, with the Duo LDAPS configuration for SSL VPN, continue to use the "LOCAL" AAA Server Group for authentication and add the Duo LDAP AAA server group for secondary authentication.

To protect local ASA users connecting with the Duo RADIUS configuration for SSL VPN clients, use the duo_only_client and radius_server_duo_only configurations in your Authentication Proxy setup, and again continue to use the "LOCAL" AAA Server Group for authentication and add the Duo RADIUS AAA server group for secondary authentication. In this scenario, your authproxy.cfg file would look something like this:

[duo_only_client]

[radius_server_duo_only]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=safe
radius_ip_1=5.6.7.8
radius_secret_1=thisisaradiussecret
client=duo_only_client

Why is the AnyConnect client connection attempt disconnecting after 12 seconds when I have increased the timeout?

An issue with the AnyConnect client causes it to ignore the timeout setting and use the 12 second default when the fully qualified host domain name (FQDN) of the Cisco ASA is not present in the AnyConnect client profile. This may cause the AnyConnect client to disconnect during the two-factor authentication attempt (Cisco forum link).

To fix this, add a <ServerList> section to the AnyConnect profile as shown in the example below. If your AnyConnect profile already contains a server list section, replace the <HostAddress> IP address or non-qualified host name of your ASA with the fully qualified domain name as shown in the example.

<ServerList>
<HostEntry>
<HostName>ASA-01
</HostName>
<HostAddress>asa-01.cisco.com
</HostAddress>
</HostEntry>
</ServerList>

See the instructions for using the ASDM AnyConnect Client Profile Editor and configuring the Server List at the Cisco site for more information.

While the Cisco forum link above references AnyConnect 2.x versions, the issue persists in later versions. AnyConnect version 4.8.02045, released in February 2020, increases the default timeout from 12 to 30 seconds. See the AnyConnect release notes for details.

Additional Troubleshooting

Need more help? Try searching our Cisco Knowledge Base articles or Community discussions. For further assistance, contact Support.