However, there are some cases where it might make sense for you to deploy a new proxy server for a new application, like if you want to co-locate the Duo proxy with the application it will protect in the same data center. You don't have to set up a new Authentication Proxy server for each application you create. If you are already running a Duo Authentication Proxy server in your environment, you can use that existing host for additional applications, appending the new configuration sections to the current config. This Duo proxy server will receive incoming RADIUS requests from your Cisco FTD SSL VPN, contact your existing local LDAP/AD or RADIUS server to perform primary authentication, and then contact Duo's cloud service for secondary authentication. To integrate Duo with your Cisco FTD SSL VPN, you will need to install a local Duo proxy service on a machine within your network. You should already have a working primary authentication configuration for your Cisco FTD SSL VPN users before you begin to deploy Duo. Primary and Duo secondary authentication occur at the identity provider, not at the ASA itself.īefore moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. This deployment option features Duo Single Sign-On, our cloud-hosted SAML 2.0 identity provider. The SAML VPN instructions for Firepower 6.7 and later feature inline enrollment and the interactive Duo Prompt for both web-based VPN logins and An圜onnect 4.6+ client logins. The instructions also assume you already have a functioning FTD Remote Access SSL VPN deployment using an existing AAA authentication server (like an on-premises AD/LDAP directory).ĭuo supports RADIUS 2FA configuration starting with FTD and FMC versions 6.3.0. These instructions walk you through adding two-factor authentication via RADIUS to your FTD using the Firepower Management Center (FMC) console. This configuration does not feature the interactive Duo Prompt for web-based logins, but does capture client IP information for use with Duo policies, such as geolocation and authorized networks. Overviewĭuo MFA for Cisco Firepower Threat Defense (FTD) supports push, phone call, or passcode authentication for An圜onnect desktop and An圜onnect mobile client VPN connections that use SSL encryption. Duo integrates with your Cisco Firepower Threat Defense (FTD) SSL VPN to add two-factor authentication to An圜onnect VPN logins.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |