Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5194
Views
1
Helpful
1
Replies

Azure AD Cisco AnyConnect

jjacobsHL
Level 1
Level 1

‎11-03-2017 07:18 AM

We got excited seeing Azure Active Directory Integration with DUO (Directory Sync) thinking we could move away from needing to use our on premises servers. Our goal is to move everything we can to the cloud including our domain controllers (Azure AD).

It seems DUO and Azure AD can only be used as secondary authentication and you still need a primary authentication to occur first? I’m a bit confused on how we can use DUO with Azure AD. It seems we still need something on prem like a Proxy/MFA server? I got hopeful thinking we just set the primary authentication as Duo-LDAP and it would just work that way without needing anything onsite.

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-06-2017 06:06 AM

You’re correct; Duo only handles secondary authentication and you still need a separate identity source for primary authentication before continuing on to Duo 2FA (or else we’d be Uno Security).

You do not need to use the Duo customer control for Azure AD conditional access (which is only available in an Azure AD P2 Premium subscription) to add Duo protection to your Cisco AnyConnect VPN logins. In fact, you cannot use the Duo Azure CA control with AnyConnect (because the Azure control is compatible only with applications that show the Duo Prompt in a browser and AnyConnect doesn’t).

You can try this for AnyConnect though:

  1. Enable Secure LDAP in your Azure AD domain: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.

  2. Point your Cisco ASA to Azure AD over LDAPS for primary authentication.

  3. Proceed with adding secondary authentication via Duo’s LDAP configuration for Cisco: https://duo.com/docs/cisco.

Protecting web-based applications using Azure AD for primary authentication is the most popular use case for the Duo custom control for Azure CA. For example, if you have Office 365 your primary login is the Azure AD account associated with that O365 tenant. If you enabled the Duo custom control in an Azure AD conditional access policy then it would prompt for Duo after primary login with the Azure AD account.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents