We don’t use the Clientless SSL VPN, only the anyconnect client.
When a user goes to the vpn URL they put in login credentials and they immediately get directed to download the anyconnect client.
Instead of going right to the download page I would like the duo inline self-service enrollment page to prompt them into setting up the duo account but I can’t figure out how to make that happen, any one have some tips with this setup?
Duo has been very easy to set up for me. Give their support a ring and they should be able to help you out.
Google is your friend:
I set this up for a client last week, it took 15 minutes and the self-service enrollment is friggin awesome. The DUO solution is sweet.
Prompting Remote Users to Download AnyConnect
I originally used this:
… though I have since switched to this:
It says IPSec, but it also applies to the AnyConnect client. I do not want users to self-enroll though. I control access through an AD group and have Duo send the enrollment email automatically.
The only issue I ran into with duo was when adding the Duo AAA server group in the ASA. For some reason it didn’t like it by FQDN so I put the IP in of that weblink and it worked right away. I haven’t gone back to troubleshoot since it’s been working since.
I should add this was for an old code ASA. 8.25 which is being replaced soon but was needed for a site Certification.
Yeah, I went through those docs, can’t get it working. Was wondering if anyone else has gotten this setup working. It’s possible that its a problem with the way we have with our setup.
Yes, I have this in production. Only thing you may be missing is your ASA code version, but most likely you are missing a detail in the setup instructions. Read it carefully multiple times as a single checkbox will be crucial.
Are you doing LDAP? We use radius and I had to setup the proxy server too. I can log in and get client pushes but can’t get the inline enrollment part working.
I’m doing NPS windows radius. Why do you need a proxy server?
If you don’t get the inline enrollment, you’re probably missing Step 9, with part
I have that part added, I have been on the phone with Duo for a bit now and they can’t seem to get it working either.
I followed this document to get things set up originally, and have gone back and followed the normal cisco doc with the support at duo. They are opening a escalated ticket for it.
Like I said, if I add users to duo manually and then set up their phone in the admin console, I can get the pushes to work just fine.
Your ASA firmware is version 8.4(5) or later, correct?
I’m not using the auth proxy. It’s unnecessary in my case, so I’m confused what you need it for.
is your duo policy set to allow non existent users to auto enroll?
Do you have the duo javascript uploaded to the ASA?
Yes, Unenrolled users will be prompted to enroll whenever possible.
And the Javascript is added.
Starting to wonder if there is an issue with licensing on the ASA not letting users on the clientless web page.
What are your anyconnect Essentials settings?
have done it before with essentials only and with SSL VPN as well. It doesn’t matter which one you use as the portal is always there, albeit in a limited capacity for essentials.
Can you resolve DNS from your ASA? You need to be able to resolve the Duo API name…really only other thing that I can think of.
I will look tomorrow. Another error I am getting now is that on the portal a non duo user signs in but it errors and says please go to this URL to enroll, if you follow the URL you can enroll and push to phone works but then the user still isn’t in the right groups and an admin has to step in. Plus the error just isn’t user friendly.
If you can get past all the other errors the VPN portal redirects to any connect auto installer page. If I disable client SSL and Ike and whatever else except clientless SSL I get the error that SSL portal is not available.
Going to make a ticket with Cisco but have to reup the smartnet tht expired July 1st