AnyConnect VPN with (and without) Duo
Of course we can configure a user’s status as Bypass in the Duo Admin Panel to not require 2FA…
But as an exercise we can also use Duo’s Auth Proxy along side a separate authentication server in an environment with Duo 2FA users and non-2FA users. The end result is the same, end-users only have to type their credentials and they get a push, other flags such as phone are used as fallback in the event that the push isn’t working (e.g. poor cell reception, etc).
Example, in an AD environment;
- One tunnel-group that uses the DUO Auth Proxy tied to Duo’s RADIUS application (not Cisco RADIUS VPN); for the LDAP integration configure appropriate values for
/opt/duoauthproxy/conf/authproxy.cfgfile to specify an AD security group whose members are 2FA users.
Another tunnel-group that points to another authentication server server; e.g. NPS server with a RADIUS policy pointing to a different AD security group for non-2FA users.
Both tunnel-group aliases will show up in the Anyconnect client, but users will only be able to auth to the AD security group mapped to their respective tunnel-group; providing that the user account isn’t in both security groups.
Group policy and webvpn config;
|Internal DNS server||
group-policy GP-ANYCONNECT internal group-policy GP-ANYCONNECT attributes dns-server value 10.31.254.51 vpn-simultaneous-logins 5 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value domain.local split-dns value domain.local ! webvpn enable outside anyconnect image disk0:/anyconnect-win-4.6.01098-webdeploy-k9.pkg 1 regex "Windows NT" anyconnect image disk0:/anyconnect-linux64-4.6.01098-webdeploy-k9.pkg 2 regex "Linux" anyconnect enable tunnel-group-list enable cache disable error-recovery disable
|Duo Auth Proxy server||
The TG-DUO tunnel-group is configured to use the AAA-DUO aaa-server(s). The timeout is bumped up a bit here to deal with potential latency with the push message.
tunnel-group TG-DUO type remote-access tunnel-group TG-DUO general-attributes address-pool VPN_POOL authentication-server-group AAA-DUO default-group-policy GP_ANYCONNECT tunnel-group DUO webvpn-attributes group-alias AnyConnect disable group-alias "AnyConnect VPN - Duo" enable ! aaa-server AAA-DUO protocol radius aaa-server AAA-DUO (inside) host 10.31.255.11 timeout 90 key *****
|Internal NPS server||
The TG-NPS tunnel-group is configured to use the AAA-NPS aaa-server(s). Example assumes NPS role is running on a separate server; i.e. not the DC.
tunnel-group TG-NPS type remote-access tunnel-group TG-NPS general-attributes address-pool VPN_POOL authentication-server-group AAA-NPS default-group-policy GP_ANYCONNECT tunnel-group TG-NPS webvpn-attributes group-alias AnyConnect disable group-alias "AnyConnect VPN - non-2FA" enable aaa-server AAA-NPS protocol radius aaa-server AAA-NPS (inside) host 10.31.255.12 key *****