Skip to main content



Cisco Defense Orchestrator

System Flow for Duo LDAP Secondary Authentication

The following graphic shows how FTD and Duo work together to provide two-factor authentication using LDAP.


Following is an explanation of the system flow:

  1. The user makes a remote access VPN connection to the FTD device and provides username and password.
  2. FTD authenticates this primary authentication attempt with the primary authentication server, which might be Active Directory or RADIUS.
  3. If the primary authentication works, FTD sends a request for secondary authentication to the Duo LDAP server.
  4. Duo then authenticates the user separately, through push notification, text message with a passcode, or a telephone call. The user must complete this authentication successfully.
  5. Duo responds to the FTD device to indicate whether the user authenticated successfully.
  6. If the secondary authentication was successful, the FTD device establishes a remote access VPN connection with the user’s AnyConnect client.
  • Was this article helpful?