DUO for Cisco anyconnect VPN with multi AD group

tjiang · ‎09-10-2019

for the security reason, we are using multiple profiles with different rules on Cisco ASA to restrict VPN uses’ accessing.
I created group one in AD and associated with AD_CLIENT1 in duo proxy for one of the VPN profiles, my question is how to create multi AD_Clients and associate with different AD groups for different ASA VPN profiles.

Thanks.

DuoKristina · ‎09-12-2019

This isn’t possible to do with one server section, because there is a 1:1 relationship between the server section and the client used.

You have two options (I am assuming you added Duo via RADIUS):

Configure multiple [radius_server_auto] sections, where each of them uses a different port and [ad_clientX] i.e. [radius_server_auto1] has client=ad_client and port=1812, [radius_server_auto2] has client=ad_client2 and port=1813, etc. Add these as multiple AAA servers and then update each profile to use the right AAA server. This sounds terrible and I don’t recommend it.
Switch from [radius_server_auto] to [radius_server_duo_only]. You don’t need to specify any ad_client at all, because the Duo proxy won’t handle primary auth. Then in your VPN profiles, continue to use whatever AD LDAP server you already use for primary auth, and then add the Duo AAA RADIUS “Duo-only” server group for secondary authentication only.

Duo, not DUO.