Duo integrates with your Cisco ASA VPN to add two-factor authentication to any VPN login.
This Duo SSL VPN configuration supports inline self-service enrollment and the Duo Prompt for web-based VPN logins, and push, phone call, or passcode authentication for AnyConnect desktop and mobile client connections that use SSL encryption.
The AnyConnect RADIUS instructions do not feature the interactive Duo Prompt for web-based logins, but does capture client IP informations for use with Duo policies, such as geolocation and authorized networks.
The SAML VPN instructions feature inline enrollment and the interactive Duo Prompt for both web-based VPN logins and AnyConnect 4.6+ client logins. This deployment option requires that you have a SAML 2.0 identity provider in place that features Duo authentication, like the Duo Access Gateway. Primary and Duo secondary authentication occur at the identity provider, not at the ASA itself.
Please refer to the Duo for Cisco AnyConnect VPN with ASA or Firepower overview to learn more about the different options for protecting ASA logins with Duo MFA.
If you need to protect connections that use Cisco's desktop VPN client (IKE encryption), use our Cisco IPSec instructions.
Before starting, make sure that Duo is compatible with your Cisco ASA device. Log on to your Cisco ASDM interface and verify that your Cisco ASA firmware is version 8.3 or later.
This application communicates with Duo's service on TCP port 636. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
You should already have a working primary authentication configuration for your SSL VPN users before you begin to deploy Duo, e.g. LDAP authentication to Active Directory.
Then you'll need to:
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
To add the Duo customization to your Cisco sign-in page:
Duo-Cisco-vX.jswill appear in the Web Content Path box.
<script src="/+CSCOU+/Duo-Cisco-vX.js"></script>(replacing vX with the file version actually downloaded) in the Text: box. Click OK.
Navigate to AAA/Local Users → AAA Server Groups, click Add, and fill out the form:
In the Servers in the Selected Group section, click Add and fill out the form:
|Interface Name||Choose your external, internet-facing interface (it may be called "outside")|
|Server Name or IP Address||
Your API hostname (i.e.
Check Enable LDAP over SSL and fill out the form (replacing INTEGRATION_KEY and SECRET_KEY with your application-specific keys):
|Server Type||-- Detect Automatically/Use Generic Type --|
|Scope||One level beneath the Base DN|
Click Save to write all changes to the ASA device memory.
If any of your users will be logging in through desktop or mobile AnyConnect clients (click here to learn more about Duo and AnyConnect), you'll need to increase the AnyConnect Authentication Timeout so that users have enough time to use Duo Push or phone callback. Here's how:
You now have an increased authentication timeout. This timeout will take effect after each client successfully logs into the VPN after applying the new profile.
Visit your Cisco ASA SSL VPN Service URL (it usually ends in
/+CSCOE+/logon.html). After you complete primary authentication, the Duo enrollment/login prompt appears.
Using AnyConnect? Users see a “Second Password” field when using the AnyConnect client, which cannot be left blank. This second password field accepts the name of a Duo factor, like "push" or "phone", or a Duo passcode (generated with Duo Mobile or sent via SMS). Learn how Duo works with desktop and mobile AnyConnect clients.
You can configure Duo on your ASA using the Cisco command line.
SSH into your ASA and access the config terminal.
login as: asaadmin asaadmin@ciscoasa's password: Type help or '?' for a list of available commands. ciscoasa> enable Password: ******** ciscoasa# config ciscoasa# config terminal ciscoasa(config)#
Enable scopy if not already permitted.
ciscoasa(config)# ssh scopy enable
Use scopy (scp or pscp) to upload the Duo sign-in page customizations (downloaded from your Cisco SSL VPN application's properties page in the Duo Admin Panel page back in step 3 of "First Steps") to your ASA.
c:\>pscp.exe c:\Duo-Cisco-v5.js asaadmin@ciscoasa:Duo-Cisco.v5.js asaadmin@ciscoasa's password: ******** Duo-Cisco-v5.js | 71 kB | 35.9 kB/s | ETA: 00:00:00 | 100%
Then import the new web content package.
ciscoasa(config)# import webvpn webcontent /+CSCOU+/Duo-Cisco-v5.js disk0:Duo-Cisco-v5.js * Web resource `+CSCOU+/Duo-Cisco-v5.js' was successfully initialized
Export a web customization object for modification. The default customization object is named "DfltCustomization".
ciscoasa(config)# export webvpn customization DfltCustomization disk0:/DfltCustomization %INFO: Customization object 'DfltCustomization' was exported to disk0:/DfltCustomization
Then download the exported customization object from the ASA.
c:\>pscp.exe asaadmin@ciscoasa:disk0:/DfltCustomization DfltCustomization asaadmin@ciscoasa's password: DfltCustomization | 9 kB | 9.6 kB/s | ETA: 00:00:00 | 100%
Open the downloaded web customization object in an XML editor. Edit the "title-panel" section of the page to add the path to the Duo-Cisco-v5.js file you just uploaded to the ASA. The edit should be as follows:
<text l10n="yes"><![CDATA[<script src="/+CSCOU+/Duo-Cisco-v5.js"></script>]]></text>
Save the modified DfltCustomization file and upload it back to the ASA.
c:\>pscp.exe DfltCustomization asaadmin@ciscoasa:disk0:/DfltCustomization asaadmin@ciscoasa's password: DfltCustomization | 9 kB | 9.6 kB/s | ETA: 00:00:00 | 100%
Then import the modified customization object from the ASA command line.
ciscoasa(config)# import webvpn customization DfltCustomization disk0:/DfltCustomization %INFO: customization object 'DfltCustomization' was successfully imported
Add the Duo LDAP server. To do this, create the LDAP AAA Server Group.
ciscoasa(config-aaa-server-group)# aaa-server Duo-LDAP protocol ldap
Then, add the Duo LDAP server, using your external, internet-facing interface and the following information:
Your API hostname (i.e.
|LDAP over SSL||enable|
ciscoasa(config-aaa-server-group)# aaa-server Duo-LDAP (outside) host api-xxxxxxxx.duosecurity.com ciscoasa(config-aaa-server-host)# server-port 636 ciscoasa(config-aaa-server-host)# timeout 60 ciscoasa(config-aaa-server-host)# ldap-base-dn dc=DIXXXXXXXXXXXXXXXXXX,dc=duosecurity,dc=com ciscoasa(config-aaa-server-host)# ldap-login-dn dc=DIXXXXXXXXXXXXXXXXXX,dc=duosecurity,dc=com ciscoasa(config-aaa-server-host)# ldap-login-password ************ ciscoasa(config-aaa-server-host)# ldap-naming-attribute cn ciscoasa(config-aaa-server-host)# ldap-over-ssl enable ciscoasa(config-aaa-server-host)# exit
Edit the SSL VPN Connection Profile so that the Duo-LDAP server is used for secondary authentication. (In the example below the connection profile is called "VPNConnectionProfile").
ciscoasa(config)# tunnel-group VPNConnectionProfile general-attributes ciscoasa(config-tunnel-general)# secondary-authentication-server-group Duo-LDAP use-primary-username INFO: This command applies only to SSL VPN - Clientless and AnyConnect. ciscoasa(config-tunnel-general)# exit
If your users log in with the AnyConnect desktop or mobile clients increase the authentication timeout in the AnyConnect profile. This will give users enough time to approve the Duo authentication request.
First, download the AnyConnect Client Profile XM file (normally called "DefaultProfile.xml").
c:\>pscp.exe asaadmin@ciscoasa:disk0:DefaultProfile.xml .\DefaultProfile.xml asaadmin@ciscoasa's password: DefaultProfile.xml | 2 kB | 2.0 kB/s | ETA: 00:00:00 | 100%
Edit the downloaded XML file add change the AuthenticationTimeout to 60 seconds. The edit should be as follows:
Save the modified AnyConnect XML connection profile file and upload it back to the ASA.
c:\>pscp.exe DefaultProfile.xml asaadmin@ciscoasa:disk0:/DefaultProfile.xml asaadmin@ciscoasa's password: DefaultProfile.xml | 2 kB | 2.0 kB/s | ETA: 00:00:00 | 100%