Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7592
Views
2
Helpful
4
Replies

Confused with U2F and AnyConnect VPN

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Level 1
Level 1

‎09-05-2017 03:48 PM

Hi folks - I purchased some Yubico 4 Nano U2F devices for use with our Cisco AnyConnect VPN but I’m baffled as to how to add these things to the user accounts.

My users get the AnyConnect application username/password/password window but and Duo is working with the 2FA, but how do I let them add a device when they don’t log in ti Duo?

Any help you can offer would be very appreciated.

Thanks.

Labels:
0 Helpful
4 Replies 4

Dooley
Level 3
Level 3

‎09-05-2017 04:47 PM

Hey Tim,
Users can add U2F tokens upon initial enrollment or via the self-service portal at the Duo Prompt – or the Device Management Portal if you’ve configured that application: https://guide.duo.com/u2f. Administrators cannot add U2F devices to user accounts.

In order to use U2F tokens to authenticate, users have to access a web-based application in Chrome that displays the Duo Prompt. Unfortunately this means the AnyConnect client’s second password field isn’t supported, but web-based logins to our Cisco ASA “primary” configuration do display the prompt. You can learn more about the differences between our primary and alternate Cisco applications here: https://help.duo.com/s/article/2295

0 Helpful

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Level 1
Level 1
In response to Dooley

‎09-06-2017 09:21 AM

Hi Dooley,

Thank you for the quick reply. Unfortunately I’m still confused. I went through the Cisco ASA Primary instructions and made all the necessary changes to the Duo setup but after the users have enrolled in Duo, then go to authenticate they are greeted with a Cisco login box not the Duo setup box.

Any help you can offer would be appreciated.

tim

0 Helpful

Greg9
Level 1
Level 1
In response to vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

‎09-06-2017 09:59 AM

Hey Tim,

Think of the Yubikey as a two-in-one device. The U2F “half” is separate from the OTP “half”. The U2F half is limited to use with Chrome and users can enroll it (associate it with their Duo account) themselves. The OTP half must be added by an Admin and is managed like a typical hardware token. This OTP half is what you’ll need to use with the AnyConnect clients.

This article differentiates between the two functionalities of the Yubikey: https://help.duo.com/s/article/2942

Sounds like you’ll need to login to your Duo Admin Panel, import your Nano as a HW Token (so you can use the OTP “half” mentioned above), then associate that token with your username. You’ll then be able to login to your AnyConnect by typing in your username, passcode, then in the Secondary Password field you’d tap and hold your Nano until it writes an OTP code in that Secondary Password field.

Users cannot self-enroll through the AnyConnect (and can never self-enroll a HW Token including the Nano). Those users would need to login through a browser to self-enroll, or you could send them an enrollment email from the Duo Admin Panel. https://duo.com/docs/enrolling_users

best,
-Greg

vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Level 1
Level 1
In response to Greg9

‎09-07-2017 09:01 AM

Ok I got it now.

Thanks Greg.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents