Cisco AnyConnect with DUO for MFA

Hello,

We are setting up DUO with AnyConnect for MFA. We have multiple options to achieve such as SSO SAML with DAG, RADIUS with Auth Proxy, and LDAPS

Our primary dilemma lies in choosing between RADIUS and LDAP.

Could anyone shed some light on the practical differences between using RADIUS versus LDAP for this purpose?

Additionally, we’re considering using DUO’s Access Gateway as part of our setup. However, we’re curious about its security aspects. Has anyone encountered security issues with DUO DAG

Any advice, experiences shared, or resources on these topics would be greatly appreciated as we aim to make an informed decision for our setup.

Thank you in advance for your help!

You should be using SAML against your IdP, since your IdP will already be setup for MFA e.g. DUO. It’s very simple and Cisco has a number of guides for how to accomplish it. My Cisco VPN points at AzureAD, and AzureAD is using DUO for MFA.

And I’d advise doing this with the 5.x Secure Client as Any Connect is EOL.

That is to say, you don’t want RADIUS or LDAP.

Just keep in mind if you go with SAML you won’t be able to use Start before Logon

FYI … Duo DAG is EOL, or at least soon/eventually.

We use RADIUS (Clearpass) through the access proxy and have never had any issues with it. Our only real issue is related to the RADIUS-challenge (the Duo popup message) being limited to a certain number of characters (per spec), so if someone has a lot of Duo options (phone numbers, methods, etc…) they get this super abbreviated Duo message that isn’t user-friendly at all.

If you have a super simple VPN setup, like 1 connection profile and everyone gets the same access, a SAML approach might be the way to go.

I imagine some day we’ll investigate moving to a SAML login, but our VPN setup is quite complicated and couldn’t make it work for us when we added Duo a few years ago.

We use LDAP against an LDAP server configured in the Authentication proxy. In the Duo console config its just a generic LDAP application.

The “hard part” of that is the certs on the Authproxy.

We could have used RADIUS. It was easier to test/cutover since we were already using LDAP on the firewalls for Anyconnect authentication.

As someone stated earlier, the bigger tradeoff is SBL(available with LDAP/RADIUS) vs Duo Unified (SAML)

The only quality of life difference between RADIUS and LDAP through the auth proxy is RADIUS reports the remote client IP and LDAP does not. Helpful if you want to do geofencing policy.

We trying to implement Duo for 2FA/SAML SSO but we also have Dynamic Access Policies to only allow certain users access to the AnyConnect VPN.

It has worked great with internal AD users because employees have email addresses and passwords. However, it hasn’t been successful for external users because, although we create an AD user for them, we don’t create an email address; external users rely on their own email addresses.

How to solve this?

Sorry I didn’t get this. Could you please provide more information

Create an email address for external users while creating their AD user? That’s what we do.

If you need to be able to connect to the VPN before the logging in, SAML is not supported.

We’re currently on Office 365. Do you mean to say we need to set up a mailbox for them, which would then unnecessarily use up a license?

Thank you for clarifying. What is best alternative method if not SAML?

To be honest, I don’t know that part. Is not part of my role. But I believe they will still need a 0365 license since they also will be using office, teams etc.