How to Install Duo Security 2FA for Cisco ASA SSL VPN using LDAP

– [Narrator] Hi, I'm
Matt from Duo Security. In this video, I'm going
to show you how to protect your Cisco ASA SSL VPN logins with Duo. During the setup process, you will use the Cisco Adaptive Security
Device Manager, or ASDM. Before watching this
video, be sure to reference the documentation for
installing this configuration at Note that this configuration supports inline self-service
enrollment and the Duo Prompt.

Our alternate RADIUS-based
Cisco configuration offers additional features including configurable failmodes,
IP address-based policies and autopush authentication, but does not support the Duo Prompt. Read about that configuration
at First, make sure that Duo is compatible with your Cisco ASA device. We support ASA firmware
version 8.3 or later. You can check which
version of the ASA firmware your device is using by logging
into the ASDM interface. Your firmware version will be listed in the Device Information
box next to ASA Version. In addition, you must have a working primary authentication configuration
for your SSL VPN users, such as LDAP authentication
to Active Directory. (light music) To get started with the
installation process, log in to the Duo Admin Panel.

In the Admin Panel, click on Applications. Then click Protect an Application. Type in "cisco". Next to the entry for Cisco SSL VPN, click Protect this Application, which takes you to your new
application's properties page. At the top of this page, click the link to download the Duo Cisco zip package. Note that this file contains information specific to your application. Unzip it somewhere convenient
and easy to access, like your desktop. Then click on the link to open the Duo for Cisco documentation. Keep both the documentation
and properties pages open as you continue through the setup process. After creating the application
in the Duo Admin panel and downloading the zip package, you need to modify the
page for your VPN.

Log on to your Cisco ASDM. Click the configuration tab and then click Remote
Access VPN in the left menu. Navigate to Clientless SSL VPN
Access, Portal, Web Contents. Click Import. In the Source section,
select Local Computer, and click Browse Local Files. Locate the Duo-Cisco-[VersionNumber].js file you extracted from the zip package. After you select the file, it will appear in the Web Content Path box. In the Destination section, under Require authentication
to access its content?, select the radio button next to No. Click Import Now. Navigate to Clientless SSL VPN Access, Portal, Customization. Select the Customization
Object you want to modify. For this video, we will use the default customization template. Click Edit. In the outline menu on the left, under Logon Page, click Title Panel. Copy the string provided in step nine of the Modify the sign-in page section on the Duo Cisco documentation
and paste it in the text box.

Replace "X" with the file
version you downloaded. In this case, it is "6". Click OK, then click Apply. Now you need to add the Duo LDAP server. Navigate to AAA/Local
Users, AAA Server Groups. In the AAA Server Groups
section at the top, click Add. In the AAA Server Group
field, type in Duo-LDAP. In the Protocol dropdown, select LDAP. More recent versions of the ASA firmware require you to provide a realm-id. In this example, we will use "1".

Click OK. Select the Duo-LDAP group you just added. In the Servers in the Selected
Group section, click Add. In the Interface Name dropdown, choose your external interface. It may be called outside. In the Server Name or IP address field, paste the API hostname from your application's properties page in the Duo Admin Panel. Set the Timeout to 60 seconds. This will allow your users
enough time during login to respond to the Duo two-factor request. Check Enable LDAP over SSL. Set Server Type to Detect
Automatically/Use Generic Type. In the Base DN field, enter dc= then paste your integration key from the applications' properties page in the Duo Admin Panel. After that, type ,dc=duosecurity,dc=com Set Scope to One level
beneath the Base DN. In the Naming Attributes field, type cn. In the Login DN field, copy
and paste the information from the Base DN field you entered above.

In the Login Password field, paste your application's secret key from the properties page
in the Duo Admin Panel. Click OK, then click Apply. Now configure the Duo LDAP server. In the left sidebar, navigate to Clientless SSL VPN
Access, Connection Profiles. Under Connection Profiles, select the connection
profile you want to modify. For this video, we will use
the DefaultWEBVPNGroup. Click Edit. In the left menu, under Advanced, select Secondary Authentication. Select Duo-LDAP in the Server Group list. Uncheck the Use LOCAL if
Server Group fails box. Check the box for Use primary username. Click OK, then click Apply. If any of your users log in through desktop or mobile AnyConnect clients, you'll need to increase the AnyConnect
authentication timeout from the default 12 seconds, so that users have enough time to use
Duo Push or phone callback.

In the left sidebar, navigate
to Network (Client) Access, AnyConnect Client Profile. Select your AnyConnect client profile. Click Edit. In the left menu, navigate
to Preferences (Part 2). Scroll to the bottom
of the page and change the Authentication Timeout
(seconds) setting to 60. Click OK, then click Apply. With everything configured, it is now time to test your setup. In a web browser, navigate to your Cisco ASA SSL VPN service URL. Enter your username and password. After you complete primary authentication, the Duo Prompt appears. Using this prompt, users can enroll in Duo or complete two-factor authentication. Since this user has already
been enrolled in Duo, you can select Send Me a Push,
Call Me, or Enter a Passcode. Select Send Me a Push to send a Duo push notification
to your smartphone.

On your phone, open the notification, tap the green button to
accept, and you're logged in. Note that when using
the AnyConnect client, users will see a second password field. This field accepts the
name of a Duo factor, such as push or phone, or a Duo passcode. In addition, the AnyConnect
client will not update to the increased 60 second timeout until a successful authentication is made.

It is recommended that you use a passcode for your second factor to
complete your first authentication after updating the AnyConnect timeout. You have successfully setup
Duo two-factor authentication for your Cisco ASA SSL VPN..

You May Also Like