You can use the Duo LDAP server as the secondary authentication source along with a Microsoft Active Directory (AD) or RADIUS server as the primary source. With Duo LDAP, the secondary authentication validates the primary authentication with a Duo passcode, push notification, or phone call.
Note: The Duo two-factor authentication feature is available in CDO for devices running Firepower Threat Defense version 6.5 or later.
The FTD device communicates with Duo LDAP using LDAPS over port TCP/636.
When using this approach, the user must authenticate using a username that is configured on both the AD/RADIUS server and the Duo LDAP server. When prompted to log in by AnyConnect, the user provides the AD/RADIUS password in the primary Password field, and for the Secondary Password, provides one of the following to authenticate with Duo. For more details, see the "Second Password for Factor Selection" section in https://guide.duo.com/anyconnect.
Duo passcode—Authenticate using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. For example, 1234567.
push—Push a login request to your phone, if you have installed and activated the Duo Mobile app. Review the request and tap Approve to log in.
phone—Authenticate using a phone callback.
sms—Request a Duo passcode in a text message. The login attempt will fail. Log in again using the new passcode.
For a detailed explanation, see How to Configure Two-Factor Authentication using Duo LDAP.