These instructions walk you through adding two-factor authentication via RADIUS to your FTD using CDO. The instructions also assume you already have a functioning FTD Remote Access SSL VPN deployment using an existing AAA authentication server (like an on-premises AD/LDAP directory).
Create a Duo Account
Following is an overview of the process. For details, please see the Duo web site, https://duo.com.
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate Cisco Firepower Threat Defense VPN in the applications list.
- Click Protect this Application to get your integration key, secret key, and API hostname. You'll need this information when configuring the proxy. For help, see the Duo Getting Started guide, https://duo.com/docs/getting-started.
- Install and configure the Duo Authentication Proxy. For instructions, see the "Install the Duo Authentication Proxy" section in https://duo.com/docs/cisco-firepower.
- Start the Authentication Proxy. For instructions, see the "Start the Proxy" section in https://duo.com/docs/cisco-firepower.
For enrolling new users in Duo, see https://duo.com/docs/enrolling-users.
Configure FTD for Duo RADIUS Using CDO
- Configure FTD Radius Server Object.
- In the CDO navigation menu, click Objects > RA VPN Objects (ASA & FTD) > Identity Source.
- Provide a name and set the Device Type as FTD.
- Select Radius Server Group and click Continue. For details, see step 6 in Create or Edit an FTD RADIUS Server Group.
- In the Radius Server section, click the Add button and click Create New Radius Server. See Create or FTD RADIUS Server Object.
Note: In the Server Name or IP Address field, enter your Duo Authentication Proxy server's fully-qualified hostname or IP address.
- Once you have added the Duo RADIUS server to the group, click Add to create the new Duo RADIUS server group.
- Change the Remote Access VPN Authentication Method to Duo RADIUS.
- In the CDO navigation menu, click VPN > Remote Access VPN Configuration.
- Expand the VPN configuration and click on the connection profile to which you want to add Duo.
- In the Actions pane on the right, click Edit.
- Select the Authentication Type can be AAA or AAA and Client Certificate.
- In the Primary Identity Source for User Authentication list, select the server group you created earlier.
- You typically do not need to select an "Authorization Server" or "Accounting Server".
- Click Continue.
- In the Summary and Instructions step, click Done to save the configuration.
- Review and deploy now the changes you made, or wait and deploy multiple changes at once.