Duo Cisco Anyconnect Secondary Password

I am trying to remove the secondary password option on my Cisco AnyConnect SSL VPN web portal - so new users can sign in using their AD username and password, and proceed to register their device once signed on.

new users do not have the secondary password to login, if that makes sense.

The duo is synced with AD security group.

Is there an option/setting for me to change?


Hi Aisling,
I see that you have an open support case about this as well, and it looks like you may have gotten the answer there already, but I am going to share it here as well for the wider community’s benefit :smiley:

Users can self-enroll via the Duo Authentication Prompt if they are able to log in to the ASA VPN using a browser. You can enable the Self-service portal through the Duo Admin Panel and users can enroll the device when you set a new user policy to require enrollment.

If only AnyConnect client access is permitted, users cannot self-enroll and must be enrolled using automatic or manual enrollment.

Hi Amy,

Thanks for getting back to me.

My issue here is – new users do not have secondary password sign so cannot log onto the AnyConnect VPN via browser because the portal page is asking for two passwords.

New users cannot have a secondary password yet as they have to log onto this portal with username and password from AD – and then register their device and set up 2fA. My question is how do you disable the secondary password field on the login page so users only are prompt for login creds - AD username and password, and begin to register their phone when logged into the web portal?


Is this an ASA? Did you follow these directions: Cisco ASA SSL VPN for Browser and AnyConnect | Duo Security?

It sounds like there is a misconfiguration or other issue with the customized Duo login page , because when configured correctly the ASA browser SSL VPN login page does not show a text input field for the second password, but instead loads the interactive Duo 2FA prompt where a new user could complete inline self-enrollment.