Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1665
Views
0
Helpful
4
Replies

Anyconnect VPN and auto push

Peter_Matuska
Level 1
Level 1

‎03-08-2022 09:23 AM

Hi, the task is simple but I cant get it work. I want to use Duo with anyconnect. The requirements are:

  • password management has to be enabled
  • the third line for OTP has to be visible
  • push notification is the default but I don’t want users to type the word push in that 3rd line every time he logs in.
    I have a setup with ISE for primary authentication and Duo LDAP for secondary authentication.

is it something like this possible?

Labels:
0 Helpful
4 Replies 4

Antony GALLEZ
Level 1
Level 1

‎03-08-2022 09:42 AM

@Peter_Matuska,

I have the same setup except password management (disabled) & OTP (we only use push without any intervention from users). But, as explained here, if some of your users want to use OTP, they may add ,<passcode> after ther AD password.

For example:

username: bob
password: hunter2,123456

I set it up in the way below:

  1. FTD uses ISE as RADIUS server.
  2. In ISE, I use Duo AuthC proxies as External Radius Servers.
  3. Duo AuthC proxies uses our AD for backend authentication.

Regards,
Antony

0 Helpful

Peter_Matuska
Level 1
Level 1

‎03-09-2022 07:04 AM

Hi Antony
if you type the OTP in the same line with the password then it is the different setup. I had it like this before but when I enabled password management, the OTP stopped working I believe because of MSCHAP. The requirement is to have 3rd line for OTP, they don’t want to have OTP within password line.thank you

0 Helpful

Antony GALLEZ
Level 1
Level 1

‎03-09-2022 08:48 AM

Hi @Peter_Matuska,

You may have to follow this guide.

It is about ASA, ISE & Symantec VIP but I’m pretty sure you may adapt it to match your need.

HTH,
Antony

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Antony GALLEZ

‎03-16-2022 02:44 PM

@Peter_Matuska

So in this case it isn’t Duo that is requiring input into the second password field.

You didn’t say but I am going to assume you are using an ASA.

When you set up separate primary and secondary authentication on the connection profile then the ASA won’t proceed without input in that second password field. At that point it has no idea that the secondary AAA server in the server group you picked is a Duo Authentication Proxy or some other LDAP server or something else entirely. It just knows you configured secondary auth so therefore it needs a password to send to the AAA server.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents