Cisco ASA and Duo Secondary Password Field

thambright · ‎06-03-2019

Is anyone aware of a way to pre-populate the Secondary Password field on the Cisco AnyConnect Client so that PUSH is not required to be typed in? The PUSH method is how this will be setup for all our users and we would like to make this a simple login process and then the user receives the DUO notification on their mobile device.

mkorovesisduo · ‎06-03-2019

It sounds like you are using our ASA LDAP configuration. If you utilize our ASA RADIUS configuration, then AnyConnect users will not see a second password field and will automatically receive a push or phone callback.

Note, however, that users cannot self-enroll with our RADIUS configuration. You can learn more about our ASA configuration options here.

thambright · ‎06-03-2019

We are using Cisco ISE as our Radius Authentication and DUO as our Secondary Authentication for the push. Reason for this is we are able to utilize the AD directory groups and downloadable ACL’s for the clients.

jeffsmith1 · ‎06-07-2019

If you also have a SAML IDP you can use that and still point to ISE for Authorization. The End user experience will then be what you currently see in the browser.

Here is a doc with our Duo Access Gateway however if you use something like Azure AD or ADFS that will work as well.

Victor · ‎03-22-2021

Hello to everyone.
I’m trying to configure ASA SSL vpn with minimum user interaction and always on. My first authentication is user certificate and second is DUO configured as radius server (using duo auth proxy VM) but I still get the prompt from Anyconnect for “push” field. Has anyone managed to achieve this without the password prompt?

DuoKristina · ‎03-22-2021

@victor_p,

Which of the various radius_server_??? Authentication Proxy configurations did you choose?

Duo, not DUO.

Victor · ‎03-24-2021

@DuoKristina
[duo_only_client]

[radius_server_duo_only]
ikey=notsharing
skey=notsharing
api_host=notsharing
radius_ip_1=notsharing
radius_secret_1=notsharing
failmode=secure
client=duo_only_client
port=1812

DuoKristina · ‎03-24-2021

OK, there are two takeaways from this for you:

radius_server_duo_only does not do autopush or let you proceed without submitting a “password” to it in the form of a Duo factor name or passcode. radius_server_auto with duo_only_client would send an automatic push, buuuuut…
Previous exploration of ASA with cert for primary and Duo showed that you can’t use any secondary authentication without having AAA enabled as an authentication method, and submitting a password. This was confirmed by Cisco TAC.

So with this config we could find no feasible way it would not require submitting a password value to start RADIUS AAA auth after certificate authentication success.

Duo, not DUO.