We are currently using Duo in a Cisco ASA enviornment using a DAG setup. We’re migrating to newer firewalls which utilize FTD. We followed the directions on setting up the Duo Proxy however; it looks like it uses just the AnyConnect interface and removes any option for my users to choose which method they want to authenticate with. I have some users who utilize SMS and YubiKeys - anybody else run into this? Is there another way other than not using FTD?
If you set up FTD with SAML then users see the Duo Prompt in AnyConnect.
*Requires FTD/FMC 6.7.0+
ETA: You can set up FTD to use SAML auth with DAG too, but you’d need to use the DAG Generic SAML app and when stepping through the FTD SSO instructions linked above you’d be supplying the certificate, Entity ID, SSO URL, and Logout URL from your DAG admin console instead of from Duo hosted SSO (but really, if it’s an option for you, consider migrating to Duo SSO).