Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
5
Helpful
4
Replies

Duo SSO - Any benefits for AnyConnect and On Prem Email?

mauricej341
Level 1
Level 1

‎09-27-2021 01:13 PM

Hello,

We’ve decided to implement Cisco Duo, and are planning to subscribe to the Access edition. Our primary goal was to implement Duo for VPN (AnyConnect on Firepower) first, and then for email, which is running on an on-prem Exchange server. And we have on-prem Active Directory, which I planned to sync users from.

I’ve been reading up on the deployment methods, and saw that we have the option for Duo SSO. But I’m not clear on, if Duo SSO provides any benefits to us, if we are protecting only on-prem resources. (We don’t use Microsoft 365 currently, but, may in the future.)

Also, would we be able to initially use Duo with a small group of associates (such as IT) before requiring it for all VPN users? Currently we use NPS and Radius for VPN auth, and VPN enabled users are in a security group.

Thanks for any guidance.

Labels:
0 Helpful
4 Replies 4

jamieis
Cisco Employee
Cisco Employee

‎09-27-2021 03:21 PM

Hey @mauricej341,

But I’m not clear on, if Duo SSO provides any benefits to us, if we are protecting only on-prem resources. (We don’t use Microsoft 365 currently, but, may in the future.)

You won’t be able to use Duo SSO with on-prem exchange but you can use our OWA plugin which can provide 2FA for your web-based authentications to exchange.

Also, would we be able to initially use Duo with a small group of associates (such as IT) before requiring it for all VPN users? Currently we use NPS and Radius for VPN auth, and VPN enabled users are in a security group.

You can! There are a few different approaches you could take:

  1. You can have everyone use Duo SSO but only require some to use 2FA. You can do this by enrolling certain members in Duo but then having a policy set to “Allow access without 2FA”. You can read more here in the Duo 2FA Policy docs

  2. On the Cisco Firepower you can create a separate tunnel-group for users that you’d like to try using Duo SSO and only apply Duo SSO to that tunnel group. You can then instruct certain users to select that tunnel group when authenticating.

DuoKristina
Cisco Employee
Cisco Employee
In response to jamieis

‎09-29-2021 06:35 AM

If you set up your Firepower VPN with Duo SSO instead of with RADIUS it gives your users a better experience. They will see an interactive Duo prompt with AnyConnect if using SSO, but if you use RADIUS it will do an automatic push with no Duo UI shown.

Additionally, some of the Access features like OS/Browser policy and Device Health checks aren’t available with the RADIUS config, as they are only applied when the Duo interactive web prompt gets shown.

Duo, not DUO.

mauricej341
Level 1
Level 1

‎09-29-2021 07:36 AM

Thanks Jamie and Kristina, this is very helpful!

Ken Stieers
VIP
VIP

‎10-15-2021 11:16 AM

Also, without some version of the Duo prompt (via sso, or bouncing the Anyconnect auth off a ADFS instance or Duo Network Gateway instance), user self service is an issue. We deployed a “Self Service” site on our intranet so users could update phones/switch primary 2fa method, etc.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents