cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2072
Views
2
Helpful
11
Replies

Duo-Cisco Javascript - Cisco ASA

jfboucher-neuf
Level 1
Level 1

Hi There!
We are currently deploying Duo with our Cisco Anyconnect VPN.
I’ve followed the instructions for LDAPS deployment but I ran into a weird issue.
As soon as we add the “script” block of text to include the file “Duo-Cisco-v6.js”.
Nothing happens when we fill out the form and hit LOGIN.

Is there anything to activate to allow javascript to run?

Cisco ASA 5512 running 9.12.4 (37).
File “Duo-Cisco-v6.js” has been downloaded and installed according to the procedure.

As soon as I remove this script text block, the Clientless page works fine.

Thanks!

1 Accepted Solution

Accepted Solutions

No, there isn’t.

It seems like there is an issue executing the Duo Javascript only, if AnyConnect works with 2FA and also browser SSL VPN works with the text-only experience.

I suggest you open a support case so a support engineer can review your configuration with you.

ETA: I strongly urge you to consider using Duo SSO with your ASA instead. There are benefits to using the SAML config over the LDAPS config, like support for network-based policy, showing an interactive prompt in AnyConnect, and support for the Duo Universal Prompt.

The LDAPS configuration will receive no further updates from Duo and is not in scope for Universal Prompt.

Duo, not DUO.

View solution in original post

11 Replies 11

DuoKristina
Cisco Employee
Cisco Employee

Typically whether Javascript runs on a page or not is up to the client browser. Is it enabled there?

Also, might be worth double-checking for these common mistakes we see with Cisco ASA LDAPS support escalations:

  • The zip file from duo was uploaded to the ASA instead of the JS file extracted from the zip.
  • JS file requires authentication (web content path has +CSCOE+ instead of +CSCOU+).
  • Missing closing tag in the customization object.
  • The downloaded JS zip is the right one for the Duo account (sometimes admins who manage Duo on behalf of multiple clients have mixed up the JS zips; which are unique to each Duo customer account).
Duo, not DUO.

Hi Kristina, Thank you for the reply.
I’ve checked all of those points, thanks for the suggestion.
However, is not working. After hitting LOGIN the button is faded and nothing happens.

If you look at the ASA logging during your login attempt, do you see that primary authentication to whatever you have configured (AD? ISE?) succeeds, and after that do you see an outbound request to your Duo cloud API host?

Also, have you tried a client connection to your SSL VPN (like, using AnyConnect, where the user types in username, password, and Duo factor)? Does that work with 2FA?

Duo, not DUO.

jfboucher-neuf
Level 1
Level 1

Hi Kristina,
If I remove the script portion in the customization, I do see a third field appear and i’m able to connect with my passcode from Duo. The Duo AAA server works fine when I’m testing it.

Anyconnect works fine too. I will try to investigate the outbound request.
Thanks!

jfboucher-neuf
Level 1
Level 1

Is there anything to activate on the Duo Admin Panel except the applications?

No, there isn’t.

It seems like there is an issue executing the Duo Javascript only, if AnyConnect works with 2FA and also browser SSL VPN works with the text-only experience.

I suggest you open a support case so a support engineer can review your configuration with you.

ETA: I strongly urge you to consider using Duo SSO with your ASA instead. There are benefits to using the SAML config over the LDAPS config, like support for network-based policy, showing an interactive prompt in AnyConnect, and support for the Duo Universal Prompt.

The LDAPS configuration will receive no further updates from Duo and is not in scope for Universal Prompt.

Duo, not DUO.

Awesome thank you! I will configure it as suggested

jfboucher-neuf
Level 1
Level 1

Successfully configured, many thanks!

simwid-1
Level 1
Level 1

@jfboucher-neuf

I have the same problem as explained, the JavaScript not working anymore.
How did you solve it, did you have to use DUO SSO?

joseph.bernard
Level 1
Level 1
If anyone happens to run into the problem before LDAPS is turned off and still needs it to work or was wonder why things stopped working, here is the answer:
https://help.duo.com/s/article/5881?language=en_US

The problem also affected 9.12 even if the article says 9.13 and above.
 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links