Anyconnect VPN and auto push

Hi, the task is simple but I cant get it work. I want to use Duo with anyconnect. The requirements are:

  • password management has to be enabled
  • the third line for OTP has to be visible
  • push notification is the default but I don’t want users to type the word push in that 3rd line every time he logs in.
    I have a setup with ISE for primary authentication and Duo LDAP for secondary authentication.

is it something like this possible?


I have the same setup except password management (disabled) & OTP (we only use push without any intervention from users). But, as explained here, if some of your users want to use OTP, they may add ,<passcode> after ther AD password.

For example:

username: bob
password: hunter2,123456

I set it up in the way below:

  1. FTD uses ISE as RADIUS server.
  2. In ISE, I use Duo AuthC proxies as External Radius Servers.
  3. Duo AuthC proxies uses our AD for backend authentication.


Hi Antony
if you type the OTP in the same line with the password then it is the different setup. I had it like this before but when I enabled password management, the OTP stopped working I believe because of MSCHAP. The requirement is to have 3rd line for OTP, they don’t want to have OTP within password line.thank you

Hi @Peter_Matuska,

You may have to follow this guide.

It is about ASA, ISE & Symantec VIP but I’m pretty sure you may adapt it to match your need.



So in this case it isn’t Duo that is requiring input into the second password field.

You didn’t say but I am going to assume you are using an ASA.

When you set up separate primary and secondary authentication on the connection profile then the ASA won’t proceed without input in that second password field. At that point it has no idea that the secondary AAA server in the server group you picked is a Duo Authentication Proxy or some other LDAP server or something else entirely. It just knows you configured secondary auth so therefore it needs a password to send to the AAA server.