Confused with U2F and AnyConnect VPN


Hi folks - I purchased some Yubico 4 Nano U2F devices for use with our Cisco AnyConnect VPN but I’m baffled as to how to add these things to the user accounts.

My users get the AnyConnect application username/password/password window but and Duo is working with the 2FA, but how do I let them add a device when they don’t log in ti Duo?

Any help you can offer would be very appreciated.



Hey Tim,
Users can add U2F tokens upon initial enrollment or via the self-service portal at the Duo Prompt – or the Device Management Portal if you’ve configured that application: Administrators cannot add U2F devices to user accounts.

In order to use U2F tokens to authenticate, users have to access a web-based application in Chrome that displays the Duo Prompt. Unfortunately this means the AnyConnect client’s second password field isn’t supported, but web-based logins to our Cisco ASA “primary” configuration do display the prompt. You can learn more about the differences between our primary and alternate Cisco applications here:


Hi Dooley,

Thank you for the quick reply. Unfortunately I’m still confused. I went through the Cisco ASA Primary instructions and made all the necessary changes to the Duo setup but after the users have enrolled in Duo, then go to authenticate they are greeted with a Cisco login box not the Duo setup box.

Any help you can offer would be appreciated.



Hey Tim,

Think of the Yubikey as a two-in-one device. The U2F “half” is separate from the OTP “half”. The U2F half is limited to use with Chrome and users can enroll it (associate it with their Duo account) themselves. The OTP half must be added by an Admin and is managed like a typical hardware token. This OTP half is what you’ll need to use with the AnyConnect clients.

This article differentiates between the two functionalities of the Yubikey:

Sounds like you’ll need to login to your Duo Admin Panel, import your Nano as a HW Token (so you can use the OTP “half” mentioned above), then associate that token with your username. You’ll then be able to login to your AnyConnect by typing in your username, passcode, then in the Secondary Password field you’d tap and hold your Nano until it writes an OTP code in that Secondary Password field.

Users cannot self-enroll through the AnyConnect (and can never self-enroll a HW Token including the Nano). Those users would need to login through a browser to self-enroll, or you could send them an enrollment email from the Duo Admin Panel.



Ok I got it now.

Thanks Greg.