DUO MFA for VPN-AD users

just wanted to setup DUO MFA for ASA VPN users. Users are AD users.
How can DUO know to which mobile number MFA request should be send when a user logs in.
How is DUO relating a phone number/phone to an AD user.

Please read this whole page: Duo Administration - Enroll Users | Duo Security and come back if you have more questions. :slight_smile:

1 Like

Thank you, I successfully got the user enrolled. Users are getting Duo mobile notification in their phones.

How can i force to send SMS instead of Duo App notification for few users.

If your users see a second password field, they would type sms into it. If they see a single password field and receive an automatic push, they would append ,sms to their password. See this guide: Auto Mode - Guide to Two-Factor Authentication · Duo Security

Thank you, I was looking an option for users without smart phones. They dont have Duo Mobile app in the phone. How can DUO send SMS only for those users.

Like I said, they have to specify the sms factor when they log in.

Are you using AnyConnect? Did you read this? Logging In With the Cisco AnyConnect Client - Guide to Two-Factor Authentication · Duo Security

Users are logging in from normal anyconnect, they wont get any option to select the MFA method.
Req is,

  1. user logs in from anyconnect
  2. User gets text SMS
  3. User enters text SMS in anyconnect
  4. User authenticated succesfully.

I’m sorry, I don’t understand what help you are looking for at this point. As I said, in order to receive an SMS message with a Duo passcode, the user needs to specify sms as the Duo factor to use.

This is our user guide to logging in with AnyConnect and Duo.

If your setup matches the “Single Password with Automatic Push” experience, then the user needs to append ,sms to their password as described in that guide. The login fails but the user receives the passcode via text. The user logs in again, this time appending ,thepasscodetheygotviatext to their password.

If your setup matches the “Second Password for Factor Selection” experience, then
the user types in sms for the second password. The login fails but the user receives the passcode via text. The user logs in again this time, this time using the password they got via text as the second password.

If you aren’t able to figure out which experience you have, or need 1:1 troubleshooting assistance, I suggest you contact Duo Support.

Thank you. I was looking on the configuration side.
What config to be done in DUO and in ASA for this.

Every one of the solutions on this page includes support for SMS passcode users:

1 Like

Guys, I got this working finally. Once the AnyConnect users enters IP/FQDN in AnyConnect and click connect, they’ll be redirected to a Duo login webpage. Here you’ll have to login using the mail/email address of the AD user and AD password.
Once logged in you’ll be treated with options for DUO push and SMS. Based on your choice MFA will be requested on your phone.

I couldn’t find any straightforward docs for this. I followed the below links;
Do the setup untill time 11:00 from this video -

**they are using salesforce here, I used ASA.
Once above setup is done, follow the below video.

This solution is documented here: Duo Single Sign-On for Cisco ASA with AnyConnect | Duo Security