Duo SSO - Any benefits for AnyConnect and On Prem Email?

Hello,

We’ve decided to implement Cisco Duo, and are planning to subscribe to the Access edition. Our primary goal was to implement Duo for VPN (AnyConnect on Firepower) first, and then for email, which is running on an on-prem Exchange server. And we have on-prem Active Directory, which I planned to sync users from.

I’ve been reading up on the deployment methods, and saw that we have the option for Duo SSO. But I’m not clear on, if Duo SSO provides any benefits to us, if we are protecting only on-prem resources. (We don’t use Microsoft 365 currently, but, may in the future.)

Also, would we be able to initially use Duo with a small group of associates (such as IT) before requiring it for all VPN users? Currently we use NPS and Radius for VPN auth, and VPN enabled users are in a security group.

Thanks for any guidance.

Hey @mauricej341,

But I’m not clear on, if Duo SSO provides any benefits to us, if we are protecting only on-prem resources. (We don’t use Microsoft 365 currently, but, may in the future.)

You won’t be able to use Duo SSO with on-prem exchange but you can use our OWA plugin which can provide 2FA for your web-based authentications to exchange.

Also, would we be able to initially use Duo with a small group of associates (such as IT) before requiring it for all VPN users? Currently we use NPS and Radius for VPN auth, and VPN enabled users are in a security group.

You can! There are a few different approaches you could take:

  1. You can have everyone use Duo SSO but only require some to use 2FA. You can do this by enrolling certain members in Duo but then having a policy set to “Allow access without 2FA”. You can read more here in the Duo 2FA Policy docs

  2. On the Cisco Firepower you can create a separate tunnel-group for users that you’d like to try using Duo SSO and only apply Duo SSO to that tunnel group. You can then instruct certain users to select that tunnel group when authenticating.

2 Likes

If you set up your Firepower VPN with Duo SSO instead of with RADIUS it gives your users a better experience. They will see an interactive Duo prompt with AnyConnect if using SSO, but if you use RADIUS it will do an automatic push with no Duo UI shown.

Additionally, some of the Access features like OS/Browser policy and Device Health checks aren’t available with the RADIUS config, as they are only applied when the Duo interactive web prompt gets shown.

2 Likes

Thanks Jamie and Kristina, this is very helpful!

1 Like

Also, without some version of the Duo prompt (via sso, or bouncing the Anyconnect auth off a ADFS instance or Duo Network Gateway instance), user self service is an issue. We deployed a “Self Service” site on our intranet so users could update phones/switch primary 2fa method, etc.