The following graphic shows how FTD and Duo work together to provide two-factor authentication using LDAP.
Following is an explanation of the system flow:
- The user makes a remote access VPN connection to the FTD device and provides username and password.
- FTD authenticates this primary authentication attempt with the primary authentication server, which might be Active Directory or RADIUS.
- If the primary authentication works, FTD sends a request for secondary authentication to the Duo LDAP server.
- Duo then authenticates the user separately, through push notification, text message with a passcode, or a telephone call. The user must complete this authentication successfully.
- Duo responds to the FTD device to indicate whether the user authenticated successfully.
- If the secondary authentication was successful, the FTD device establishes a remote access VPN connection with the user’s AnyConnect client.