Cisco ASA and Duo Secondary Password Field

Is anyone aware of a way to pre-populate the Secondary Password field on the Cisco AnyConnect Client so that PUSH is not required to be typed in? The PUSH method is how this will be setup for all our users and we would like to make this a simple login process and then the user receives the DUO notification on their mobile device.

It sounds like you are using our ASA LDAP configuration. If you utilize our ASA RADIUS configuration, then AnyConnect users will not see a second password field and will automatically receive a push or phone callback.

Note, however, that users cannot self-enroll with our RADIUS configuration. You can learn more about our ASA configuration options here.

We are using Cisco ISE as our Radius Authentication and DUO as our Secondary Authentication for the push. Reason for this is we are able to utilize the AD directory groups and downloadable ACL’s for the clients.

If you also have a SAML IDP you can use that and still point to ISE for Authorization. The End user experience will then be what you currently see in the browser.

Here is a doc with our Duo Access Gateway however if you use something like Azure AD or ADFS that will work as well.