Cisco AnyConnect SSL VPN Authentication


#1

I am having a problem with using Duo for Cisco AnyConnect VPN where in the VPN Profile, under Advanced>Secondary Authentication, if I select the checkbox for “Use primary username (Hide secondary username on login page)”, the login prompt for AnyConnect shows one username field and two password fields, and the authentication fails. But if I leave that box unchecked, the login prompt for AnyConnect shows two username and password fields, and using the same username, the authentication works and I get the push notification.
In fact, I even swapped the primary and secondary authentication methods to help narrow down the issue, and when I use DUO as primary and local auth as secondary, and I have the Use primary username option selected, I get the push notification on my phone, but the AnyConect login fails because the local authenticaion on the CIsco ASA fails. So no matter which order the auth methods are configured, the secondary auth method fails if I tell the AnyConnect profile to use the same username for both authentication methods.


#2

Did you try monitoring the connection attempt when you have that box checked in ASDM to see why the secondary auth may be failing? Does browser SSL VPN access work correctly with both primary and secondary authentication configured to use the same username?

You best bet is to contact Duo Support so one of our technical advisors can review your ASA configuration details and engage in in-depth troubleshooting steps with you.


#3

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv45057


#4

make sure you have DNS set to true on the outside interface so the ASA can resolve the Duo server name in the LDAP config. and a DNS server configured