I don’t have one! OK Create one and link to your An圜onnect Profile.
What about passcodes and 2FA? This will send a push notification to the users Duo Authenticator (phone), you can enter the password then a comma, then the passcode from the Duo App if you wish, I just prefer the push notification).Ĭonfiguration > Remote Access VPN > Network (Client) Access > An圜onnect Client Profile > Select yours > Edit. I’ve written about testing AAA before in the following article Ĭisco – Testing AAA Authentication (Cisco ASA and IOS)īut essentially with the SERVER selected > Test > Select Authentication > Enter the username and password for a user. Now select the DUO-RADIUS group in the top window, and click ‘Add’ in the bottom window > Specify the interface that’s facing the Duo Auth Proxy Server > Add its IP address > Change the Timeout to 60 seconds > Set the Server Authentication port to 1812 > Set the Server Accounting Port to 1813, (though it will NOT do accounting) > Type in the S ecret Key you specified above > Untick Microsoft CHAPv2 Capable > OK. You only need to add the name of the server group i.e DUO-RADIUS, and ensure protocol is set to RADIUS > OK > Apply. Log into the ASDM > Configuration > Device Management > Users/AAA > AAA Server Groups > Add. I’m not sure you have to, but at this point I’d restart the Duo Auth Proxy service as well. Note: 192.168.254.254 is the inside interface of the Cisco ASA, and 666999 is the shared secret we will enter on the firewall in a moment. Skey= XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Log into the the Duo Admin Portal > Applications > Protect an Application > Search for and select Cisco RADIUS VPN > Copy the Integration Key, Secret Key and the API hostname to notepad.īack on your Duo Authentication Proxy, (because you completed the pre-requisites) add the following to the bottom of your authproxy.cfg file I would also setup An圜onnect and have it working with LOCAL authentication before migrating to Duo/2FA Authentication Ĭisco ASA 5500 An圜onnect Setup From Command Line Duo: Deploy Cisco RADIUS VPN See the following article Īlso I’m using LDAPS, if you have not set that up (it’s easy) then see the following article Umbrella Roaming Security AMP Enabler Network Visibility Module Customer Experience Feedback ISE DART Posture VPN. Advanced Notice of End Date for An圜onnect 4.3 HostScan Updates. I already have a Duo Authentication Proxy server setup and my users are enrolled, you will need to set this up first. Release Notes for Cisco An圜onnect Secure Mobility Client, Release 4.10 1.
I was asked if I’d ever set this up the other week.