Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AnyConnect implentation with Duo on MX

FCalderone
Conversationalist
‎Jan 31 2022 4:35 AM
‎Jan 31 2022 4:35 AM

AnyConnect implentation with Duo on MX

Hello,

I am looking to implement AnyConnect with Duo 2FA on the MX applicance.  I have found documents to implement AnyConnect and it mentions authentication can be accomplished via SAML and IdP from Duo.  But it is not very clear on how this is accomplished.  Am I protecting the MX in Duo with DAG or am I protecting Azure AD in Duo?  Is there preferred method of implementing AnyConnect and Duo on the MX?

Subscribe
4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 31 2022 4:56 AM
‎Jan 31 2022 4:56 AM

If I were to design this, I'd highly recommend using the DAG.

 

It'd look like this:

  • Client connects to your MX that's configured for SAML authentication
  • MX is authenticating users against DAG
  • DAG is acting as the IDP using Azure AD as primary credential (and possibly integrating into Conditional Access)
Subscribe
In response to CptnCrnch
FCalderone
Conversationalist
‎Jan 31 2022 5:37 AM
‎Jan 31 2022 5:37 AM

That is the path I was thinking.  But we do not have Azure AD only onprem LDAP and RADIUS.

0 Kudos
Subscribe
In response to FCalderone
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 31 2022 5:48 AM
‎Jan 31 2022 5:48 AM

As described within https://duo.com/docs/dag-linux you're absolutely able to use an internal LDAP server as Primary Credential provider.

 

In your case, you could also leverage Duo Authentication Proxy that will be used as RADIUS server for your MX. AuthProxy itself will use your internal LDAP directory for authenticating users then.

 

DAG on the other hand is able to act as your starting point into an interesting journey into SSO. 😉

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 31 2022 11:42 AM
‎Jan 31 2022 11:42 AM

I wouldn't recommend anyone deploy Duo DAG now.  Duo Central is a similar newer product but 100% cloud-based.  It is included in all Duo subscriptions.

https://duo.com/docs/duo-central 

Personally, I have converted all of my Duo DAG customers to Duo Central now.

 

Duo Central can authenticate against either Active Directory or Azure AD.  I would authenticate against whatever is the most "authoritative" source in your network.

 

Duo central also lets you add cool features like inline AD password reset (for users with expired passwords), passwordless login (although this does not work with AnyConnect yet ...), trusted computer requirements, device health requirements, etc.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.