02-11-2021 02:12 PM
Hi,
I’ve had this request a few times now from clients; endpoint/posture assessment for VPN clients using DUO Health. I understand it requires the iframe/web functionality to invoke it, but now that Anyconnect and the Unniversal Prompt is coming can we re-visit this?
With WFH so prevalent now it would be nice to do a posture assessment on corporate clients for the VPN just like Cisco with Anyconnect.
Thanks in advance,
Bob
02-12-2021 08:55 AM
This is available now for AnyConnect when configured to use SSO with Duo and a compatible AnyConnect client version is used.
Do you have a different VPN in mind?
02-12-2021 09:10 AM
Sorry I didn’t see anything about Duo Health application in those docs. If using Anyconnect, why would I not use its’ posture assessment?
As for other clients; Pulse, Fortinet, Sonicwall
Thanks
02-12-2021 10:48 AM
Are you asking if Duo can use the AnyConnect posture info (distinct from any Duo health checks) during auth? We have a feature request for this so please reach out to your Duo account exec, customer success manager, or Duo support to join it and add more information about your use case.
As for the other VPNs you mentioned, those clients don’t show the Duo prompt today via RADIUS. The path forward for them is going to be SAML SSO. Pulse client and FortiClient are both capable of SAML auth via embedded browser UI; not sure about Mobile Connect.
You could try this today (subject to your specific VPN’s model/firmware SAML 2.0 support) with the DAG generic or Duo Single Sign-On generic SAML service provider applications. If interested in a named, preconfigured Duo Single Sign-On application for these VPNs, or any others, again it’s best to go through the Duo feature request process.
01-27-2022 08:36 AM
Hi Kristina,
Sorry for bumping this thread, but I am facing the same requests from my customers.
the request is to use health device verification option when clients connect using FortiClient VPN, from my understanding after reading this thread is that this is not supported, am I understanding this correctly?
Thank you,
01-27-2022 09:39 AM
Not with Duo added by RADIUS or LDAP.
If a given VPN client app supports passive browser login via federation/SSO, you can use Duo Single Sign-On + the Generic SAML application to add Duo to the VPN logins via SAML 2.0. Duo SSO shows a Duo prompt in the browser so it can also do Device Health checks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide