Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
1
Helpful
1
Replies

EOL for Duo LDAP solution for Cisco Anyconnect dynamic group policy selection

drnash211
Level 1
Level 1

‎03-08-2023 11:31 AM

We currently use the Anyconnect LDAPS method as using that in conjunction with internal LDAP servers is the only solution that allows us to dynamically assign a group-policy to Anyconnect users based on their group membership. What is the DUO solution to this once LDAPS is EOL? Is there a SAML2 method that will allow us to select group-policy upon login?

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎03-09-2023 11:00 AM

I know ASA didn’t support DAP with SAML but it looks like it does in 9.19? https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/vpn/asdm-719-vpn-config/vpn-asdm-dap.pdf (page 31)

I think though, there is a wrinkle in that the current Duo SSO SAML application for ASA doesn’t send group (memberof) information today. The Generic Duo SSO SAML application does support sending role attributes as a service provider attribute. So, you should be able to federate the ASA with Duo SSO using the generic SAML app to specify the group attribute to use for DAP.

Feel free to contact Duo Support for assistance with deploying that generic SAML app with the ASA.

ETA: you can also continue using LDAP to AD for DAP if you switch to RADIUS auth for 2FA only (Duo RADIUS AAA as secondary) via the Authentication Proxy. Duo RADIUS Two-Factor Authentication with Password Reset for Cisco ASA SSL VPNs | Duo Security

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents