Skip to main content



Cisco Defense Orchestrator

System Flow for Duo RADIUS Secondary Authentication

The following graphic shows how FTD and Duo work together to provide two-factor authentication using Radius.


Following is an explanation of the system flow:

  1. The user makes a remote access VPN connection to the FTD device and provides username associated with RADIUS/AD server, the password for the username configured in the RADIUS/AD server, followed by one of the DUO codes, Duo-password, push, SMS, or phone. For more information, Duo Two-Factor Authentication Using RADIUS
  2. FTD sends the authentication request to the Duo Authentication proxy. 
  3. Duo Authentication proxy authenticates this primary authentication attempt with the primary authentication server, which might be Active Directory or RADIUS.
  4. If the credentials are authenticated, the Duo Authentication Proxy connection is established to Duo Security over TCP port 443. 
  5. Duo then authenticates the user separately through push notification, text message with a passcode, or a telephone call. The user must complete this authentication successfully.
  6. Duo authentication proxy receives the authentication response.
  7. If the secondary authentication was successful, the FTD device establishes a remote access VPN connection with the user’s AnyConnect client.
  • Was this article helpful?