![]() Navigate back to An圜onnect Connection Profiles and enable An圜onnect VPN client access on the outside interface (the VPN termination point).Each user will also need to be reflected in the ‘Users’ section of the Duo Admin Panel. Navigate to AAA/Local Users > Local Users and add or ensure that you have users available in the local database to test authentication with.Navigate to An圜onnect Client Profile and create a new profile before assigning it to the Group Policy that is tied to the Connection Profile.Navigate to An圜onnect Client Software and upload your required An圜onnect client images.Configure any additional settings that are relevant to your environment Create your Connection Profile ensuring that the authentication server group is set to LOCAL and the secondary authentication in the Advanced section is set to the Duo Authentication Proxy. Create a new connection profile by clicking the ‘+ Add’ button.UDP, port 1812 has been specified in this demo but you may choose to use a different port for your deployment. The IP address will be the IP used to send RADIUS communication and the secret key will match the key used on the ASA. Open the Duo Authentication Proxy Manager and enter the following configuration ensuring that you replace the ikey, skey and API hostname fields with values relevant to your deployment.We’ve already installed the Duo Authentication Proxy for this demonstration and so we will proceed with the configuration steps. ![]() You can find instructions on how to do this here. For now, download and install the Duo Authentication Proxy onto a designated machine within your environment. We will need the Integration key, Secret key and API Hostname once we have the authentication proxy installed.Once you are happy with the settings, click Save to continue. Username normalisation shouldn’t be required if you are matching against users in the ASA’s local database as you will simply copy those usernames across to Duo. Within the application settings, provide the new application with a meaningful name.The remaining policy settings will be left as default for the purpose of this demonstration This is usually recommended while testing the new solution so that users not yet known to Duo are not locked out. In this demonstration, we create a new application policy to allow access to users without 2FA. It is recommended that you create an Application Policy for every new application that you choose to protect. Access the Duo Admin Panel and navigate to Applications > Protect an Application and search for ‘Cisco RADIUS VPN’.The first thing we will do is configure the components required for Duo 2FA. Microsoft Server 2019 (Duo Auth Proxy Installed).The ability to install and configure a Duo Authentication Proxy.This article assumes that the reader has a good understanding of the technologies discussed. This method can be used for organisations that don’t have an external identity provider (IdP) or do but choose to keep 3rd party identities external to their organisation separate from their corporate IdP. In this article, we will take a look at how to configure the Cisco ASA for remote access using the local user database and Secure Access by Duo for two-factor authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |