Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1934
Views
0
Helpful
1
Replies

Cisco ASA Group Policies and Duo

Not applicable

‎04-02-2019 02:23 PM

Hello,

I’ve implemented Duo with my Cisco ASA using SAML but am I correct in assuming that I can’t assign different group policies using the ASA? Would I be better off using a RADIUS server with Duo?

Thanks for the help,

Derrick

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎04-08-2019 01:57 PM

Our RADIUS implementation is unable to send LDAP group information directly from an LDAP primary authentication source. You do have a few options here though:

1: ASA > [Duo RADIUS Proxy(Duo Authentication Proxy Reference | Duo Security) as primary] > NPS or other upstream RADIUS primary auth source that can send group info in a RADIUS attribute.

With this config you’d want to make sure to set the pass_through_all option for both the RADIUS server and client configurations in the Duo proxy’s authproxy.cfg file.

2: ASA > LDAP primary auth PLUS ASA > Duo RADIUS proxy only for secondary auth. The group info for assigning policies comes directly from your LDAP directory.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents