DUO with AnyConnect - login loop

I have installed and configured the DUO Proxy server and have attempted configurations via “active directory” and “Radius” to our Domain Controller, following your online documentation (Two-Factor Authentication Using RADIUS | Duo Security) . In both cases, it appears that the connectivity is good and all seems well until I attempt to connect to the VPN.

The AnyConnect client login appears, I enter username/pw as usual, I then get prompted on my phone for the DUO push approval (all good so far), but once I “approve” on my phone, the Cisco AnyConnect prompt returns to the original username/pw prompt instead of connecting to the VPN. This loop just repeats itself over and over.

Network info: Cisco RV340 Firewall is the VPN endpoint, AnyConnect Client version is 4.10.03104, and we are authenticating active directory credentials against a Windows Domain Controller as the primary authentication and then DUO for the 2FA

Old (working config) is just the Cisco RV340 authenticating against the Domain Controller via Radius at the moment.

Anyone have any info that could help me here.

I wonder if the timeout for the auth at the firewall is not long enough? We recommend 60 seconds as that is the lifetime of a Duo Push request. If the timeout doesn’t permit enough time for a user to receive the push request and approve it, it may be that the firewall reaches the timeout and retries (which could explain receiving multiple pushes without logging in).

Start with checking the authentication logs on your firewall and debug logging on the Duo proxy server. look to see if the Duo proxy is returning a deny or if it is still waiting for a response to the 2FA request in flight when the firewall sends it another access request. If you don’t see the issue consider contacting Duo Support.