PDF(2.5 MB) View with Adobe Reader on a variety of devices
ePub(4.3 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(2.7 MB) View on Kindle device or Kindle app on multiple devices
Updated:March 14, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Duo push integration with Active Directory (AD) and Cisco Identity Service Engine (ISE) as Two-Factor Authentication for AnyConnect clients that connect to Cisco Adaptive Security Appliance (ASA).
Cisco recommends that you have knowledge of these topics:
Basic knowledge of RA VPN configuration on ASA
Basic knowledge of RADIUS configuration on ASA
Basic knowledge of ISE
Basic knowledge of Active Directory
Basic knowledge of Duo applications
The information in this document is based on these software and hardware versions:
Microsoft 2016 Server
ISE Server 3.0
Duo Authentication Proxy Manager
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Cisco ISE sends authentication request to the Duo Authentication Proxy
Primary authentication uses Active Directory or RADIUS
Duo Authentication Proxy connection established to Duo Security over TCP port 443
Secondary authentication via Duo Security’s service
Duo authentication proxy receives authentication response
Cisco ISE access granted
Active Directory Admin: This is used as the directory account to allow the Duo Auth Proxy to bind to the Active Directory server for primary authentication.
Active Directory test user
Duo test user for secondary authentication
Active Directory Configurations
Windows server is pre-configured with Active Directory Domain services.
Note:If RADIUS Duo Auth Proxy Manager runs on the same Active Directory host machine, Network Policy Server (NPS) Roles must be uninstalled/deleted, if both RADIUS services run, they can conflict and impact performance.
In order to achieve AD configuration for authentication and user identity on Remote Access VPN users, a few values are required. All these details must be created or collected on the Microsoft Server before configuration can be done on the ASA and Duo Auth proxy server. The main values are:
Domain Name. This is the domain name of the server. In this configuration guide, agarciam.cisco is the domain name.
Server IP/FQDN Address. The IP address or FQDN used to reach the Microsoft server. If an FQDN is used, a DNS server must be configured within ASA and Duo Auth proxy to resolve the FQDN. In this configuration guide, this value is agarciam.cisco (which resolves to 10.28.17.107).
Server port. The port used by the LDAP service. By default, LDAP and STARTTLS usees TCP port 389 for LDAP, and LDAP over SSL (LDAPS) uses TCP port 636.
Root CA. If LDAPS or STARTTLS is used, the root CA used to sign the SSL certificate used by LDAPS is required.
Directory Username and Password. This is the account used by Duo Auth proxy server to bind to the LDAP server and authenticate users and search for users and groups.
Base and Group Distinguished Name (DN). The Base DN is the point of departure for Duo Auth proxy and it tells the Active directory to begin the search for and authenticate users. In this configuration guide, the root domain agarciam.cisco is used as the Base DN and Group DN is Duo-USERS.
1. In order to add a new Duo user, on Windows Server, navigate to Windows icon at the bottom left and click Windows Administrative tools, as shown in the image.
2. On Windows Administrative tools window navigate to Active Directory Users and Computers. On the Active Directory Users and Computers panel, expand the domain option and navigate to Users folder. In this configuration example Duo-USERS is used as the target group for secondary authentication.
3. Right lick on the Users folder and select New > User, as shown in the image.
4. On the New Objet-User window, specify the identity attributes for this new user and click Next, as shown in the image.
5. Confirm password and click Next, then Finish once user information is verfied.
6. Assign the new user to an specific group, right click it and select Add to a group, as shown in the image.
7. On the Select groups panel, type the name of the desired group and click Check names. Then select the name that matches your criteria and click Ok.
8. This is the user that is used on this document as an example.
1. Log in into your Dudo Admin portal.
2.On the left side panel, navigate to Users, click Add User and type the name of the user that matches our Active Domain username, then click Add User.
3. On the new user's panel, fill in the blank all the necessary information.
4. Under user devices specify the secondary authentication method.
Note:In this document Duo push for mobile devices method is used, so a phone device needs to be added.
Click Add Phone.
5. Type in the user's phone number and click Add Phone.
6. On the left Duo Admin panel, navigate to Users and click the new user.
Note:In case you dont have access to your phone at the moment, you can select the email option.
7.Navigate to Phones section and click Activate Duo Mobile.
8. Click Generate Duo Mobile Activation Code.
9. Select Email in order to receive the instructions via email, type your email address and click Send Instructions by email.
10. You receive an email with the instructions, as shown in the image.
11. Open the Duo Mobile App from your mobile device and click Add then select Use QR code and scan the code from the instructions email.
Note:On this document the Duo Auth Proxy Manager is installed on the same Windows Server that hosts Active Directory services.
2.On the Duo Admin Panel navigate to Applicaitons and click Protect an Application.
3. On the search bar, look for Cisco ISE Radius.
4. Copy the Integration key, Secrety key and the API Hostname. You need this information for the Duo Authentication Proxy configuraton.
5. Run the Duo Authentication Proxy Manager application and complete the configuration for both Active Directory client and ISE Radius Server and click Validate.
Note: If validation is not successful refer to the debug tab for details and correct accordingly.
Cisco ISE configurations
1. Log in into the ISE Admin portal.
2.Expand Cisco ISE tab and Navigate to Administration then click Network Resources and click External RADIUS Servers.
3. On External Radius Servers tab, click Add.
4. Fill in the blank with the RADIUS configuration used in the Duo Authentication Proxy Manager and click Submit.
5. Navigate to RADIUS Server Sequences tab and click Add.
6. Specify the name of the sequence and assign the new RADIUS External server, click Submit.
7. Navigate from the Dashboard menu to Policy and click Policy Sets.
8. Assign the RADIUS Sequence to the default policy.
Note:In this document, the Duo sequence to all of the connetions is applied, so Default policy is used. Policy assignment can vary as per requirements.
Cisco ASA RADIUS/ISE configuration
1. Configure ISE RADIUS Server under AAA Server groups, navigate to Configuration then click Device Management and expand the Users/AAA section, select AAA Server Groups.
2. On the AAA Server Groups panel click Add.
3. Select the name of the Server group and specify RADIUS as the protocol to use then click Ok.
5. Select your new Server group and click Add under the Servers in the Selected Group panel, as shown in the image.
6. On the Edit AAA Server window, select the interface name, specify the IP address of the ISE Server and type the RADIUS secret key and click Ok.
Note: All this information must match the one specified on the Duo Authentication Proxy Manager.
aaa-server ISE protocol radius
aaa-server ISE (outside) host 10.28.17.101
Cisco ASA Remote Access VPN configuration
ip local pool agarciam-pool 192.168.17.1-192.168.17.100 mask 255.255.255.0
group-policy DUO internal
group-policy DUO attributes
banner value This connection is for DUO authorized users only!
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-network-list value split-agarciam
address-pools value agarciam-pool
tunnel-group ISE-users type remote-access
tunnel-group ISE-users general-attributes
tunnel-group ISE-users webvpn-attributes
group-alias ISE enable
1. Open Anyconnect app on your PC device. Specify the hostname of the VPN ASA Headend and log in with the user created for Duo secondary authentication and click OK.
2. You received a Duo push notification on the specified user's Duo Mobile device.
3. Open the Duo Mobile App notification and click Approve.
4. Accept the banner and connection is be established.
This section provides information you can use to troubleshoot your configuration.
Duo Authentication Proxy comes with a debug tool that displays error and failure reasons.
Note:The next information is stored in C:\Program Files\Duo Security Authentication Proxy\log\connectivity_tool.log.
1. Connectivity issues, wrong IP, unresolvable FQDN/Hostname on Active Directory configuration.
2. Wrong password for Administrator user on Active Directory.
3.Wrong Base Domain.
4. Wrong ikey RADIUS value.
5. Verify ISE Server sends Access-Request packets.
6. In order to confirm Duo Authentication Proxy server works, Duo provides the tool NTRadPing to simulate Access-request packets and response with Duo.
6.1 Install NTRadPing on a different PC and generate traffic.
Note:In this example the 10.28.17.3 Windows machine is used.
6.2 Configure with the attributes used on ISE Radius configuration.
6.3 Configure the Duo Authentication Proxy Manager as follows.
6.4. Navigate to your NTRadPing tool and click Send. You receive a Duo push notification on the assigned mobile device.