Request for 2fa authentication.

2FA has been configured for Cisco Firepower Threat Defense VPN. Users connect through Cisco AnyConnect. 2FA is not stable. Sometimes it prompts the 2FA method and sometimes it doesn’t. How to make it keep asking for 2FA?

Hello @slusarj23, welcome to the Duo Community!

I’m sorry to hear you’re having issues with Duo 2FA. Are your users not being prompted to complete 2FA at all, or are you having issues with users receiving push notifications?

Good day. For example, out of ten user authentication attempts, the 2fa push notification appears only eight. AnyConnect doesn’t always fail with 2fa. I want it to ask for 2fa from the user every time.

How are you configured for the FTD VPN? Are you using RADIUS, SSO, LDAP, or some other method of integration?

My organization chart

Do you mean eight out of ten times a given user gets the Duo Push request to approve, and the other two times the user does not receive the Duo Push request and the VPN login attempt fails? If so, you may want to explore the suggestions in these Duo Push troubleshooting articles:

Troubleshooting Duo Push notification issues on iOS devices

Troubleshooting Duo Push notification issues on Android devices

Do you mean that out of ten users, eight of them have to use Duo 2FA to log in and the other two get connected to the VPN with no 2FA at all? That sounds more like a configuration issue and I would encourage you to contact Duo Support to perform more in-depth troubleshooting.

Since you are using a RADIUS configuration you can enable debug logging at the Duo Authentication Proxy to see what is happening during an login attempt… does it show a push request sent to the user that then times out with no response, does it allow the user due to policy or status permitting login without 2FA, etc.