We set up our ASA Anyconnect to use DUO for 2FA following these instructions - https://duo.com/docs/ciscoasa-radius. We use AD/LDAP as the primary authenticator.
This setup works fine but we have noticed that after implementing this configuration, users with upcoming expired passwords are not warned about the same. Also, once user passwords are expired, it renders this mode of connecting to VPN useless and requires an admin to reset their password on AD. This worked fine before implementing DUO for auth and 2FA. Am I missing something here? I have password management enabled on the connection profile on the ASA.
Thanks for any assistance!
PS - Reason we don’t want to use SAML for this is because we don’t want to maintain the DAG internally and plan on moving to Duo Cloud SSO for all cloud apps.