Refer to Duo documentation for the exact installation instructions, referenced at the end of this document.Ĭreate a configuration file based on the information noted down from Application configuration. Again the process is fairly straightforward. The Application Proxy acts as a RADIUS gateway between the local Cisco VPN and the Duo platform. Make note of the Integration Key, Secret Key and API HostnameĪpply any policies that are required for your home workers, in our example we are enforcing 2FA for our Working From Home users. Search for “Cisco RADIUS VPN” and click Protect Navigate to Applications->Protect an Application
Install the Duo RADIUS proxy within the on-premises infrastructureĬonfigure the connection between the local Cisco and the RADIUS proxyĮnabling RADIUS as an application is straightforward To enable RADIUS within Duo there are a couple of stepsĮnable the Cisco ASA VPN as a Duo application If AD authentication is valid then the YubiOTP is validated via the Duo platform
Username and password entered (1), YubiKey is activated to generate the OTP which is appended to the password, separated by a comma (2)Ĭisco hands off authentication to the Duo Authentication Proxy via RADIUSĭuo Proxy splits the Username/Password and OTP, verifies U/P against AD Yubico OTP is supported across all platforms as it is just seen as keyboard input but it is important to just check that you select the most appropriate hardware interface, ie USB-A, USB-C or even the Lightning based authenticator.Ĭisco An圜onnect with YubiOTP Support per Operating System If all factors are met the encrypted connection is made
If AD authentication is valid then the YubiOTP is validated by the authentication service, either by an internal validation server on prem or a cloud based validation service The public ID of the YubiKey is used to confirm the YubiKey is associated with the user. The Authentication Service splits the Username/Password and OTP, verifies U/P against the organization's AD. Username/Password+YubiOTP passed through to Cisco VPN ServerĬisco hands off authentication to the authentication service via RADIUS Username and password entered (1), YubiKey is activated to generate the OTP which is passed along with the username and password (2) Network OverviewĪ high level overview of the network configuration is shown below
See appendix for other IDP partner’s RADIUS setup guides.įor organizations with non-standard or complex deployments, it is recommended to contact Yubico Sales for more information. This guide will walk through setting up Duo’s RADIUS Service for a standard Cisco ASA Server so that Yubico OTP can be used for MFA.
A number of IDP vendors have good step-by-step guides on how to integrate their product with Cisco An圜onnect and ASA. These standard patterns provide a simple way to integrate a company's IDP with Cisco’s VPN solution. Additionally, Cisco provides SAML and RADIUS integrations with identity providers (IDPs). Natively, user certificates and specifically smartcards are supported. Cisco’s solution is mature and has a number of options to integrate authentication vendors. It is critical that strong two factor authentication is integrated into Cisco’s VPN solution. More and more people are using Cisco An圜onnect and Cisco’s Adaptive Security Appliance (ASA) to perform work remotely. Leveraging Cisco An圜onnect to provide remote VPN access to corporate resources is vital to enable a remote workforce.