VPN with Device Health


I’ve had this request a few times now from clients; endpoint/posture assessment for VPN clients using DUO Health. I understand it requires the iframe/web functionality to invoke it, but now that Anyconnect and the Unniversal Prompt is coming can we re-visit this?

With WFH so prevalent now it would be nice to do a posture assessment on corporate clients for the VPN just like Cisco with Anyconnect.

Thanks in advance,


This is available now for AnyConnect when configured to use SSO with Duo and a compatible AnyConnect client version is used.

Do you have a different VPN in mind?

Sorry I didn’t see anything about Duo Health application in those docs. If using Anyconnect, why would I not use its’ posture assessment?

As for other clients; Pulse, Fortinet, Sonicwall


Are you asking if Duo can use the AnyConnect posture info (distinct from any Duo health checks) during auth? We have a feature request for this so please reach out to your Duo account exec, customer success manager, or Duo support to join it and add more information about your use case.

As for the other VPNs you mentioned, those clients don’t show the Duo prompt today via RADIUS. The path forward for them is going to be SAML SSO. Pulse client and FortiClient are both capable of SAML auth via embedded browser UI; not sure about Mobile Connect.

You could try this today (subject to your specific VPN’s model/firmware SAML 2.0 support) with the DAG generic or Duo Single Sign-On generic SAML service provider applications. If interested in a named, preconfigured Duo Single Sign-On application for these VPNs, or any others, again it’s best to go through the Duo feature request process.

1 Like