Duo-Cisco Javascript - Cisco ASA

Hi There!
We are currently deploying Duo with our Cisco Anyconnect VPN.
I’ve followed the instructions for LDAPS deployment but I ran into a weird issue.
As soon as we add the “script” block of text to include the file “Duo-Cisco-v6.js”.
Nothing happens when we fill out the form and hit LOGIN.

Is there anything to activate to allow javascript to run?

Cisco ASA 5512 running 9.12.4 (37).
File “Duo-Cisco-v6.js” has been downloaded and installed according to the procedure.

As soon as I remove this script text block, the Clientless page works fine.

Thanks!

Typically whether Javascript runs on a page or not is up to the client browser. Is it enabled there?

Also, might be worth double-checking for these common mistakes we see with Cisco ASA LDAPS support escalations:

  • The zip file from duo was uploaded to the ASA instead of the JS file extracted from the zip.
  • JS file requires authentication (web content path has +CSCOE+ instead of +CSCOU+).
  • Missing closing tag in the customization object.
  • The downloaded JS zip is the right one for the Duo account (sometimes admins who manage Duo on behalf of multiple clients have mixed up the JS zips; which are unique to each Duo customer account).

Hi Kristina, Thank you for the reply.
I’ve checked all of those points, thanks for the suggestion.
However, is not working. After hitting LOGIN the button is faded and nothing happens.

If you look at the ASA logging during your login attempt, do you see that primary authentication to whatever you have configured (AD? ISE?) succeeds, and after that do you see an outbound request to your Duo cloud API host?

Also, have you tried a client connection to your SSL VPN (like, using AnyConnect, where the user types in username, password, and Duo factor)? Does that work with 2FA?

Hi Kristina,
If I remove the script portion in the customization, I do see a third field appear and i’m able to connect with my passcode from Duo. The Duo AAA server works fine when I’m testing it.

Anyconnect works fine too. I will try to investigate the outbound request.
Thanks!

Is there anything to activate on the Duo Admin Panel except the applications?

No, there isn’t.

It seems like there is an issue executing the Duo Javascript only, if AnyConnect works with 2FA and also browser SSL VPN works with the text-only experience.

I suggest you open a support case so a support engineer can review your configuration with you.

ETA: I strongly urge you to consider using Duo SSO with your ASA instead. There are benefits to using the SAML config over the LDAPS config, like support for network-based policy, showing an interactive prompt in AnyConnect, and support for the Duo Universal Prompt.

The LDAPS configuration will receive no further updates from Duo and is not in scope for Universal Prompt.

Awesome thank you! I will configure it as suggested :slight_smile:

Successfully configured, many thanks!

2 Likes

@jfboucher-neuf

I have the same problem as explained, the JavaScript not working anymore.
How did you solve it, did you have to use DUO SSO?

Yes, we used SSO. Duo Single Sign-On for Cisco ASA with AnyConnect | Duo Security