This document describes how to configure a Duo Lightweight Directory Access Protocol (LDAP) identity source object through REST API and using this object in the Remote Access VPN (RA VPN) connection profile as a secondary authentication identity source on Firepower Threat Defense (FTD) managed by Firepower Device Manager (FDM).
Cisco recommends that you have knowledge of these topics:
Basic knowledge of RA VPN configuration on FDM.
Basic knowledge of REST API and FDM REST API Explorer.
Cisco FTD running version 6.5.0 and above managed by Cisco Firepower Device Manager (FDM).
FTD registered with the smart licensing portal with Export Controlled Features enabled (in order to allow RA VPN configuration tab to be enabled).
AnyConnect Licenses enabled (APEX, Plus or VPN-Only).
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
From FTD version 6.5, you can use Duo LDAP Identity Source object directly in the RA VPN profile for secondary authentication with the help of REST API.
Prior to this version, two-factor authentication was supported only via Duo Proxy and RADIUS.
Authentication Flow Explained
The user initiates a remote access VPN connection to the FTD and provides a username and password for Primary Authentication.
FTD sends the authentication request to the primary authentication server.
Once the primary authentication is successful, FTD sends a request for secondary authentication to the Duo LDAP server.
Duo then authenticates the user, depending on the input for secondary authentication (push, passcode, phone).
Duo responds to the FTD to indicate whether the user authenticated successfully.
If the secondary authentication was successful, the FTD establishes a remote access VPN connection.
In order to complete the configuration take into consideration these sections:
Step 1. Bind the Duo object as the secondary authentication method in Remote Access VPN.
Navigate to Remote Access VPN and edit the concerned Connection Profile, as shown in the image.
Select LocalIdentitySource as Primary Identity Source and Duo as Secondary Identity Source. Click on Next to close the Remote Access VPN Wizard.
Note: Use Primary username for Secondary login is checked under Advanced option for the purpose of the document. If you need to use different usernames for Primary and Secondary authentication, you can uncheck it.
Step 2. Deploy the configuration to the device.
Pending changes show Local user, Duo object and Secondary Authentication Settings ready to be pushed.
In order to test this configuration, provide the local credentials in Username and Password. For Second Password type push, phone, passcode to determine kind of notification to be sent by Duo. Here push method is used.
You must get a Duo PUSH notification on your enrolled device for Two Factor Authentication (2FA). Once the push request is approved anyconnect user gets connected.
Open Anyconnect GUI >Settings > Statistics and verify the connection.
Verify the user connection on FTD CLI using the show command show vpn-session anyconnect
firepower# show vpn-sessiondb anyconnect
Username : tazkhan Index : 32
Assigned IP : 192.168.10.1 Public IP : 10.65.81.47
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 149500 Bytes Rx : 112471
Group Policy : DfltGrpPolicy Tunnel Group : SSLVPN
Login Time : 11:07:09 UTC Mon Oct 9 2019
Duration : 0h:27m:46s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 00000000000200005d9b1c5d
Security Grp : none Tunnel Zone : 0
Verify if Duo object is pushed from REST API by navigating to Objects >Identity Sources
Verify the aaa-server configuration and secondary authentication FTD CLI using the show command show run aaa-server <name> and show run tunnel-group
firepower# show run aaa-server Duo
aaa-server Duo protocol ldap
aaa-server Duo (outside) host api-f754c261.duosecurity.com
firepower# show run tunnel-group
tunnel-group SSLVPN type remote-access tunnel-group SSLVPN general-attributes address-pool anyconnect-pool secondary-authentication-server-group Duo use-primary-username tunnel-group SSLVPN webvpn-attributes group-alias SSLVPN enable