How to Install Duo Security 2FA for Cisco ASA SSL VPN (Primary Configuration)

VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm


[Narrator] Hello, I'mMatt from Duo Stability.

During this video, I am goingto tell you about how to guard your Cisco ASA SSL VPN logins with Duo.

During the set up approach, you'll make use of the Cisco Adaptive SecurityDevice Manager, or ASDM.

Ahead of seeing thisvideo, be sure to reference the documentation forinstalling this configuration at duo.


Notice that this configuration supports inline self-serviceenrollment and also the Duo Prompt.

Our alternate RADIUS-basedCisco configuration gives further attributes such as configurable failmodes, IP deal with-dependent procedures and autopush authentication, but won't support the Duo Prompt.

Read about that configurationat duo.


1st, Guantee that Duo is appropriate using your Cisco ASA product.

We assist ASA firmwareversion eight.

3 or afterwards.

You'll be able to Look at whichversion with the ASA firmware your unit is utilizing by logginginto the ASDM interface.

Your firmware Edition will be listed during the Device Informationbox close to ASA Variation.

On top of that, you needs to have a Doing the job primary authentication configurationfor your SSL VPN users, including LDAP authenticationto Energetic Directory.

(mild music) To get started with theinstallation method, log in on the Duo Admin Panel.

Within the Admin Panel, click Programs.

Then simply click Defend an Software.

Type in “cisco”.

Beside the entry for Cisco SSL VPN, simply click Guard this Application, which can take you to your newapplication's properties site.

At the very best of the website page, simply click the url to obtain the Duo Cisco zip deal.

Note this file includes data specific to your software.

Unzip it someplace convenientand simple to obtain, like your desktop.

Then click on the backlink to open the Duo for Cisco documentation.

Continue to keep both of those the documentationand properties webpages open while you go on with the setup approach.

Right after creating the applicationin the Duo Admin panel and downloading the zip package deal, you'll want to modify thesign-in page in your VPN.

Go surfing in your Cisco ASDM.

Simply click the configuration tab after which you can click on RemoteAccess VPN while in the left menu.

Navigate to Clientless SSL VPNAccess, Portal, World wide web Contents.

Simply click Import.

From the Resource segment, select Regional Laptop, and click Browse Area Data files.

Track down the Duo-Cisco-[VersionNumber].

js file you extracted through the zip package deal.

Soon after you select the file, it can look from the Web page Path box.

While in the Place segment, underneath Involve authenticationto entry its material?, pick the radio button beside No.

Click on Import Now.

Navigate to Clientless SSL VPN Accessibility, Portal, Customization.

Decide on the CustomizationObject you wish to modify.

For this movie, We'll make use of the default customization template.

Click on Edit.

In the define menu on the remaining, less than Logon Webpage, simply click Title Panel.

Duplicate the string provided in stage 9 in the Modify the sign-in page part over the Duo Cisco documentationand paste it inside the text box.

Replace “X” Together with the fileversion you downloaded.

In such cases, it's “six”.

Click Alright, then click on Use.

Now you should add the Duo LDAP server.

Navigate to AAA/LocalUsers, AAA Server Groups.

From the AAA Server Groupssection at the top, simply click Add.

Inside the AAA Server Groupfield, type in Duo-LDAP.

Within the Protocol dropdown, choose LDAP.

Newer versions from the ASA firmware require you to deliver a realm-id.

In this example, We are going to use “1”.

Click on Okay.

Pick out the Duo-LDAP team you just added.

Within the Servers from the SelectedGroup section, simply click Increase.

During the Interface Identify dropdown, pick your external interface.

It might be named outside.

While in the Server Title or IP tackle industry, paste the API hostname from the software's Houses web page while in the Duo Admin Panel.

Established the Timeout to 60 seconds.

This will permit your usersenough time in the course of login to respond to the Duo two-issue ask for.

Look at Help LDAP in excess of SSL.

Set Server Style to DetectAutomatically/Use Generic Variety.

In The bottom DN field, enter dc= then paste your integration important from your applications' Homes web page within the Duo Admin Panel.

After that, form , dc=duosecurity, dc=com Established Scope to at least one levelbeneath The bottom DN.

During the Naming Attributes subject, form cn.

In the Login DN industry, copyand paste the data through the Foundation DN discipline you entered previously mentioned.

Inside the Login Password subject, paste your application's secret essential from the properties pagein the Duo Admin Panel.

Click OK, then click Implement.

Now configure the Duo LDAP server.

While in the remaining sidebar, navigate to Clientless SSL VPNAccess, Connection Profiles.

Beneath Connection Profiles, select the connectionprofile you would like to modify.

For this video clip, We are going to usethe DefaultWEBVPNGroup.

Click Edit.

From the still left menu, less than Innovative, choose Secondary Authentication.

Choose Duo-LDAP while in the Server Group record.

Uncheck the Use Area ifServer Group fails box.

Check out the box to be used primary username.

Click on OK, then click Utilize.

If any of one's people log in by means of desktop or cellular AnyConnect shoppers, you'll need to enhance the AnyConnectauthentication timeout with the default twelve seconds, in order that people have more than enough time for you to useDuo Drive or cellular phone callback.

Inside the remaining sidebar, navigateto Network (Consumer) Accessibility, AnyConnect Consumer Profile.

Pick out your AnyConnect consumer profile.

Click on Edit.

In the left menu, navigateto Choices (Part 2).

Scroll to the bottomof the page and alter the Authentication Timeout(seconds) location to 60.

Click Alright, then click on Apply.

With every little thing configured, now it is time to check your setup.

In an online browser, navigate to your Cisco ASA SSL VPN assistance URL.

Enter your username and password.

After you comprehensive Most important authentication, the Duo Prompt seems.

Making use of this prompt, customers can enroll in Duo or complete two-component authentication.

Due to the fact this consumer has alreadybeen enrolled in Duo, you'll be able to choose Send out Me a Press, Simply call Me, or Enter a Passcode.

Decide on Send out Me a Thrust to deliver a Duo drive notificationto your smartphone.

On the phone, open up the notification, tap the green button toaccept, therefore you're logged in.

Observe that when usingthe AnyConnect shopper, people will see a next password industry.

This field accepts thename of a Duo variable, such as press or mobile phone, or possibly a Duo passcode.

Also, the AnyConnectclient will likely not update to the elevated 60 next timeout right up until An effective authentication is built.

It is usually recommended you use a passcode for your personal 2nd element tocomplete your initially authentication just after updating the AnyConnect timeout.

You have properly setupDuo two-issue authentication to your Cisco ASA SSL VPN.

Go Back


Blog Search

Blog Archive


There are currently no blog comments.