The following procedure explains the end-to-end process of configuring two-factor authentication, using Duo LDAP as the secondary authentication source, for remote access VPN. You must have an account with Duo, and obtain some information from Duo, to complete this configuration.
Create a Duo Account
Create a Duo account and obtain the integration key, secret key, and API hostname.
Following is an overview of the process. For details, please see the Duo web site, https://duo.com.
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate Cisco Firepower Threat Defense VPN in the applications list.
- Click Protect this Application to get your Integration key, Secret key, and API hostname. For additional information, see the Duo Getting Started guide, https://duo.com/docs/getting-started.
For enrolling new users in Duo, see https://duo.com/docs/enrolling-users.
Upload a Trusted CA Certificate to FTD Using FDM
The FTD device must have the trusted CA certificate needed to validate the connection to the Duo LDAP server. You can go directly to https://www.digicert.com/digicert-root-certificates.htm and download either DigiCertSHA2HighAssuranceServerCA or DigiCert High Assurance EV Root CA and upload it using Firepower Device Manager (FDM).
- Access the FDM page of the FTD device, choose Objects > Certificates.
- Click + > Add Trusted CA Certificate.
- Enter a name for the certificate, for example, DigiCert_High_Assurance_EV_Root_CA. (Spaces are not allowed.)
- Click Upload Certificate and select the file that you downloaded.
- Click OK.
- Onboard the device to CDO if you haven't onboarded it already.
- Read Configuration Changes from FTD to CDO.
Configure FTD for Duo LDAP in CDO
- Create a Duo LDAP identity source object for the Duo LDAP server.
- In the CDO navigation bar, click Objects.
- Click the to create an object > RA VPN Objects (ASA & FTD) > Identity Source.
- Enter a name for the object, for example, Duo-LDAP-server.
- Select the Device Type as FTD.
- Click Duo Ldap Identity Source and click Continue.
- In the Edit Identity Source area, provide the following details:
- API Hostname: Enter the API Hostname that you obtained from your Duo account. The hostname should look like the following, with the X’s replaced with your unique value: API-XXXXXXXX.DUOSECURITY.COM. Uppercase is not required.
- Port: Enter the TCP port to use for LDAPS. This should be 636 unless you have been told by Duo to use a different port. Note that you must ensure that your access control list allows traffic to the Duo LDAP server through this port.
- Timeout: Enter the timeout, in seconds, to connect to the Duo server. The value can be 1-300 seconds. The default is 120. To use the default, either enter 120 or delete the attribute line.
- Integration Key: Enter the integration key that you obtained from your Duo account.
- Secret Key: Enter the secret key that you obtained from your Duo account. This key will subsequently be masked.
- Interface used to connect to Duo Server: Select the interface that is used for connecting to Duo Server.
- Resolve via route lookup: Select this option to use the routing table to find the right path. For creating a routing table, see Routing.
- Manually choose interface: Select this option and choose one of the interfaces from the list. The default interface is the diagnostic interface, but this will work only if you configure an IP address on the interface. Note: Ensure that the selected interface is present on the same device you want to connect to Duo Server.
- Click Add.
- (optional) Use the AnyConnect Profile Editor to create a profile that specifies 60 seconds or more for authentication timeout.
You need to give users extra time to obtain the Duo passcode and complete the secondary authentication. We recommend at least 60 seconds. The following procedure explains how to configure the authentication timeout only and then upload the profile to FTD. If you want to change other settings, you can do so now.
- If you have not already done so, download and install the AnyConnect profile editor package. You can find this in the Cisco Software center (software.cisco.com) in the folder for your AnyConnect version. The base path at the time of this writing is Downloads Home > Security > VPN and Endpoint Security Clients > Cisco VPN Clients > AnyConnect Secure Mobility Client.
- Open the AnyConnect VPN Profile Editor.
- Select Preferences (Part 2) in the table of contents, scroll to the end of the page, and change Authentication Timeout to 60 (or more). The following image is from the AnyConnect 4.7 VPN Profile Editor; previous or subsequent versions might be different.
- Choose File > Save, and save the profile XML file to your workstation with an appropriate name, for example, duo-ldap-profile.xml.
- You can now close the VPN Profile Editor application.
- In CDO, Upload RA VPN AnyConnect Client Profile.
- Create a group policy and select the AnyConnect profile in the policy.
The group policy that you assign to a user controls many aspects of the connection. The following procedure explains how to assign the profile XML file to the group. For more information, see Create New FTD RA VPN Group Policies.
- On the CDO navigation page, click Objects.
- To edit an existing group policy, use the RA VPN Group Policy filter to view only the existing group policies and modify the policy that you want and save it.
- To create a new group policy, click RA VPN Objects (ASA & FTD) > RA VPN Group Policy.
- On the General page, configure the following properties:
- Name — For a new profile, enter a name. For example, Duo-LDAP-group.
- AnyConnect Client Profiles — Select the AnyConnect client profile object that you created.
- Click Add to save the object.
- Click VPN > Remote Access VPN Configuration.
- Click the remote access VPN configuration that you want to update.
- In the Actions pane on the right, click Group Policies.
- Click + to select the group policies that you want to associate with the VPN configuration.
- Click Save to save the group policy.
- Create or edit the remote access VPN connection profile to use for Duo-LDAP secondary authentication.
The following procedure just mentions the key changes to enable Duo-LDAP as the secondary authentication source and apply the AnyConnect client profile. For new connection profiles, you must configure the rest of the required fields. For this procedure, we assume you are editing an existing connection profile, and you simply must change these two settings.
- On the CDO navigation page, click VPN > Remote Access VPN Configuration.
- Expand the remote access VPN configuration and click the connection profile that you want to update.
- In the Actions pane on the right, click Edit.
- Under Primary Identity Source, configure the following:
- Authentication Type — Choose either AAA Only or AAA and Client Certificate. You cannot configure two-factor authentication unless you use AAA.
- Primary Identity Source for User Authentication — Select your primary Active Directory or RADIUS server. Note that you can select a Duo-LDAP identity source as the primary source. However, Duo-LDAP provides authentication services only, not identity services, so if you use it as a primary authentication source, you will not see usernames associated with RA VPN connections in any dashboards, and you will not be able to write access control rules for these users. (You can configure fallback to the local identity source if you want to.)
- Secondary Identity Source — Select the Duo-LDAP identity source.
Note: If username in Primary Identity Source and Secondary Identity Source are the same, we recommend enabling Use Primary username for Secondary login in the Advanced options in the Connection Profile. Configuring this way allows the end-user to use a single username for both primary and secondary identity sources.
- Click Continue.
- On the Group Policy page, select the group policy that you created or edited.
- Click Continue.
- Click Done to save your changes to the connection profile.