how-to-install-duo-security-2fa-for-cisco-asa-ssl-vpn-primary-configuration
w7tdjtg222VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm
[Narrator] Hello, I'mMatt from Duo Stability.
Within this video clip, I am goingto demonstrate how to safeguard your Cisco ASA SSL VPN logins with Duo.
During the setup method, you can use the Cisco Adaptive SecurityDevice Supervisor, or ASDM.
In advance of observing thisvideo, be sure to reference the documentation forinstalling this configuration at duo.
com/docs/cisco.
Notice this configuration supports inline self-serviceenrollment and the Duo Prompt.
Our alternate RADIUS-basedCisco configuration gives supplemental capabilities such as configurable failmodes, IP tackle-primarily based insurance policies and autopush authentication, but doesn't assist the Duo Prompt.
Read about that configurationat duo.
com/docs/cisco-alt.
To start with, Ensure that Duo is suitable with the Cisco ASA machine.
We assist ASA firmwareversion 8.
3 or afterwards.
You could Look at whichversion of the ASA firmware your machine is employing by logginginto the ASDM interface.
Your firmware Edition will probably be listed from the Gadget Informationbox close to ASA Variation.
Moreover, you must have a Doing the job Main authentication configurationfor your SSL VPN people, which include LDAP authenticationto Lively Listing.
(light new music) To start with theinstallation process, log in to your Duo Admin Panel.
While in the Admin Panel, click on Programs.
Then click on Secure an Application.
Type in “cisco”.
Next to the entry for Cisco SSL VPN, simply click Guard this Application, which will take you to your newapplication's Qualities site.
At the very best of this page, click the link to download the Duo Cisco zip package deal.
Note this file is made up of info distinct in your application.
Unzip it someplace convenientand easy to entry, like your desktop.
Then click the link to open up the Duo for Cisco documentation.
Maintain both of those the documentationand Homes internet pages open as you go on in the setup system.
Immediately after developing the applicationin the Duo Admin panel and downloading the zip deal, you might want to modify thesign-in webpage for your personal VPN.
Go browsing for your Cisco ASDM.
Click the configuration tab after which click RemoteAccess VPN in the remaining menu.
Navigate to Clientless SSL VPNAccess, Portal, Web Contents.
Simply click Import.
While in the Resource part, choose Community Personal computer, and click Look through Nearby Documents.
Find the Duo-Cisco-[VersionNumber].
js file you extracted with the zip package deal.
Just after you choose the file, it's going to look during the Online page Route box.
Inside the Desired destination area, under Have to have authenticationto access its material?, find the radio button close to No.
Simply click Import Now.
Navigate to Clientless SSL VPN Access, Portal, Customization.
Select the CustomizationObject you wish to modify.
For this video, We'll use the default customization template.
Click Edit.
While in the define menu about the still left, less than Logon Webpage, click on Title Panel.
Duplicate the string supplied in phase nine from the Modify the sign-in web site section on the Duo Cisco documentationand paste it within the text box.
Swap “X” With all the fileversion you downloaded.
In such cases, it really is “six”.
Simply click Okay, then click Implement.
Now you should include the Duo LDAP server.
Navigate to AAA/LocalUsers, AAA Server Groups.
Within the AAA Server Groupssection at the highest, click on Add.
From the AAA Server Groupfield, type in Duo-LDAP.
Within the Protocol dropdown, pick LDAP.
More moderen versions of the ASA firmware require you to offer a realm-id.
In this instance, we will use “one”.
Click on Alright.
Select the Duo-LDAP team you simply extra.
While in the Servers from the SelectedGroup area, click Add.
While in the Interface Identify dropdown, decide on your exterior interface.
It may be named outside.
Inside the Server Identify or IP handle industry, paste the API hostname from your software's Attributes web site from the Duo Admin Panel.
Set the Timeout to 60 seconds.
This will permit your usersenough time all through https://vpngoup.com login to reply to the Duo two-component ask for.
Check out Empower LDAP more than SSL.
Set Server Style to DetectAutomatically/Use Generic Variety.
In The bottom DN subject, enter dc= then paste your integration essential through the applications' Houses webpage during the Duo Admin Panel.
After that, style , dc=duosecurity, dc=com Established Scope to 1 levelbeneath the Base DN.
Inside the Naming Characteristics subject, form cn.
Within the Login DN field, copyand paste the knowledge within the Base DN area you entered above.
Within the Login Password area, paste your software's top secret vital from the Attributes pagein the Duo Admin Panel.
Click OK, then simply click Utilize.
Now configure the Duo LDAP server.
In the still left sidebar, navigate to Clientless SSL VPNAccess, Link Profiles.
Underneath Connection Profiles, pick the connectionprofile you should modify.
For this online video, We are going to usethe DefaultWEBVPNGroup.
Simply click Edit.
Inside the still left menu, below Advanced, find Secondary Authentication.
Select Duo-LDAP in the Server Group checklist.
Uncheck the Use Regional ifServer Team fails box.
Examine the box to be used Major username.
Simply click Alright, then click on Utilize.
If any of one's users log in by means of desktop or cellular AnyConnect clientele, You'll have to improve the AnyConnectauthentication timeout in the default 12 seconds, in order that buyers have enough time to useDuo Drive or cell phone callback.
In the remaining sidebar, navigateto Community (Customer) Obtain, AnyConnect Shopper Profile.
Select your AnyConnect customer profile.
Simply click Edit.
From the left menu, navigateto Preferences (Aspect two).
Scroll to the bottomof the site and change the Authentication Timeout(seconds) location to sixty.
Click on Okay, then click on Apply.
With everything configured, now it is time to test your set up.
In an online browser, navigate to the Cisco ASA SSL VPN support URL.
Enter your username and password.
Once you comprehensive Major authentication, the Duo Prompt seems.
Making use of this prompt, end users can enroll in Duo or full two-aspect authentication.
Due to the fact this user has alreadybeen enrolled in Duo, you are able to pick Send out Me a Thrust, Contact Me, or Enter a Passcode.
Decide on Mail Me a Press to send a Duo thrust notificationto your smartphone.
With your telephone, open the notification, faucet the green button toaccept, so you're logged in.
Observe that when usingthe AnyConnect customer, users will see a 2nd password area.
This field accepts thename of a Duo element, including thrust or mobile phone, or a Duo passcode.
Furthermore, the AnyConnectclient will never update for the elevated 60 next timeout till a successful authentication is designed.
It is suggested you utilize a passcode to your second variable tocomplete your to start with authentication after updating the AnyConnect timeout.
You have effectively setupDuo two-component authentication to your Cisco ASA SSL VPN.