Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1719
Views
1
Helpful
5
Replies

VPN with Device Health

bjames
Level 5
Level 5

‎02-11-2021 02:12 PM

Hi,

I’ve had this request a few times now from clients; endpoint/posture assessment for VPN clients using DUO Health. I understand it requires the iframe/web functionality to invoke it, but now that Anyconnect and the Unniversal Prompt is coming can we re-visit this?

With WFH so prevalent now it would be nice to do a posture assessment on corporate clients for the VPN just like Cisco with Anyconnect.

Thanks in advance,

Bob

Labels:
0 Helpful
5 Replies 5

DuoKristina
Cisco Employee
Cisco Employee

‎02-12-2021 08:55 AM

This is available now for AnyConnect when configured to use SSO with Duo and a compatible AnyConnect client version is used.

Do you have a different VPN in mind?

Duo, not DUO.
0 Helpful

bjames
Level 5
Level 5

‎02-12-2021 09:10 AM

Sorry I didn’t see anything about Duo Health application in those docs. If using Anyconnect, why would I not use its’ posture assessment?

As for other clients; Pulse, Fortinet, Sonicwall

Thanks

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to bjames

‎02-12-2021 10:48 AM

Are you asking if Duo can use the AnyConnect posture info (distinct from any Duo health checks) during auth? We have a feature request for this so please reach out to your Duo account exec, customer success manager, or Duo support to join it and add more information about your use case.

As for the other VPNs you mentioned, those clients don’t show the Duo prompt today via RADIUS. The path forward for them is going to be SAML SSO. Pulse client and FortiClient are both capable of SAML auth via embedded browser UI; not sure about Mobile Connect.

You could try this today (subject to your specific VPN’s model/firmware SAML 2.0 support) with the DAG generic or Duo Single Sign-On generic SAML service provider applications. If interested in a named, preconfigured Duo Single Sign-On application for these VPNs, or any others, again it’s best to go through the Duo feature request process.

Duo, not DUO.

Shtuka49
Level 1
Level 1
In response to DuoKristina

‎01-27-2022 08:36 AM

Hi Kristina,

Sorry for bumping this thread, but I am facing the same requests from my customers.
the request is to use health device verification option when clients connect using FortiClient VPN, from my understanding after reading this thread is that this is not supported, am I understanding this correctly?

Thank you,

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Shtuka49

‎01-27-2022 09:39 AM

Not with Duo added by RADIUS or LDAP.

If a given VPN client app supports passive browser login via federation/SSO, you can use Duo Single Sign-On + the Generic SAML application to add Duo to the VPN logins via SAML 2.0. Duo SSO shows a Duo prompt in the browser so it can also do Device Health checks.

Looks like it’s possible for FortiClient as of v6.4.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents