Cisco Firepower Duo Proxy setup


#1

Hello

I am looking for someone that has had success setting up a Cisco NGFW Firepower Threat Defense device with the Duo Authentication Proxy application. I have followed everything I can find but I am not getting the prompt for the secondary passcode on anyconnect.


#2

The FTD doesn’t support double-authentication, so you probably configured it to point to the Duo Authentication Proxy, and then the Duo proxy handles both primary and secondary authentication.

In this configuration there will be no second field for a passcode in the AnyConnect prompt. You should receive an automatic push request if Duo Mobile is activated for the user, or a phone call if Duo Mobile is not activated. If using SMS or token passcodes, append the token code to the password with a comma.

Does this help?


#3

So if that is the case, do I point my AAA server group just to the Duo Proxy and not to the LDAP server? That way only Duo handles both.


#4

Yes, you would do the following:

  1. Deploy Duo Authentication Proxy as described on Two-Factor Authentication Using RADIUS | Duo Security, using [ad_client] or [radius_client] (whichever you are already using for AAA in your FTD, you probably want to point your Duo server to the same thing).

  2. Create a RADIUS server group with your Duo proxy in it.

  3. Use the Duo RADIUS server group as the AAA Authentication Server in your Remote Access Connection Profile (instead of whatever AAA server group you use now).