The Duo integration with Cisco Firepower Threat Defense (FTD) SSL VPN allows for two-factor authentication on AnyConnect or Secure Client VPN logins. Duo MFA for FTD supports push, phone call, or passcode authentication for SSL encrypted VPN connections, but does not include the interactive Duo Prompt for web-based logins. These instructions explain the process of adding two-factor authentication via RADIUS to your FTD using the Firepower Management Center (FMC) console.
To integrate Duo with your Cisco FTD SSL VPN, you will need to install a local Duo proxy server on a machine within your network. This proxy server will handle incoming RADIUS requests from the VPN, contact your existing LDAP/AD or RADIUS server for primary authentication, and then interact with Duo’s cloud service for secondary authentication.
The walkthrough includes steps for downloading and installing the Duo Authentication Proxy on Windows, CentOS, Fedora, Red Hat Enterprise Linux, Ubuntu, or Debian systems. The configuration of the authentication proxy involves setting up your primary authenticator, either Active Directory or RADIUS, and then configuring the proxy for your Cisco FTD SSL VPN.
Once the proxy is set up, you need to start the service and configure your Cisco FTD in the FMC console to use the Duo RADIUS server group for Remote Access VPN authentication. After deploying the changes to the FTD device, you can test the setup by logging in with a user enrolled in Duo and completing the two-factor authentication process.
For troubleshooting, there are resources available such as the troubleshooting tips for the Authentication Proxy and the connectivity tool included with Duo Authentication Proxy versions 2.9.0 and later. Additionally, you can refer to Cisco’s Frequently Asked Questions page or contact Support for further assistance.
Article Source
https://duo.com/docs/cisco-firepower