Show
Quick tech specs
Designed as the industry's first compatible, threat-focused next-generation firewall (NGFW), the Cisco® ASA 5506-X with FirePOWER Services - security appliance ensures network safety. The firewall device combines verified security capacities using the leading industry's SourceFire threat with Advanced Malware Protection. This Cisco ASA 5506-X with FirePOWER services security appliance includes integrated defense for the entire threat attack continuum. Indications of compromise (IoCs) compare specific network and endpoint data, adding discernibility into malware infections. Whether it's a single data center or distributed enterprise, the Cisco ASA 5506-X security appliance provides necessary conditions in NGFW handling. The Cisco FireSIGHT Management Center offers insight over devices, users and files between virtual machines, client-side applications and web sites.
Duo integrates with your Cisco ASA or Firepower VPN to add two-factor authentication to AnyConnect logins. Duo can add two-factor authentication to ASA and Firepower VPN connections in a variety of ways. Learn more about these configurations and choose the best option for your organization. Cisco ASA with AnyConnectASA SSL VPN using Duo Single Sign-OnChoose this option for the best end-user experience for ASA with a cloud-hosted identity provider. With this SAML configuration, end users experience the interactive Duo Universal Prompt when using the Cisco AnyConnect Client for VPN. The interactive MFA prompt gives users the ability to view all available authentication device options and select which one to use, self-enroll new or replacement 2FA devices, and manage their own registered devices. Duo WebAuthn authenticators like Touch ID and security keys supported in recent ASA and AnyConnect software releases. This configuration also lets administrators gain insight about the devices connecting to the VPN and apply Duo policies such as device health requirements or access policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. Primary authentication and Duo MFA occur at the identity provider, not at the ASA itself. Read the deployment instructions for ASA with Duo Single Sign-On Requirements:
Network Diagram:
ASA SSL VPN using Duo Access GatewayWe recommend choosing ASA SSL VPN using Duo Single Sign-On instead of Duo Access Gateway. With this SAML configuration, end users experience the interactive Duo Prompt when using the Cisco AnyConnect Client for VPN. The interactive MFA prompt gives users the ability to view all available authentication device options and select which one to use, self-enroll new or replacement 2FA devices, and manage their own registered devices. This configuration also lets administrators gain insight about the devices connecting to the VPN and apply Duo policies such as device health requirements or access policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. Primary authentication and Duo MFA occur at the identity provider, not at the ASA itself. Read the deployment instructions for ASA with Duo Access Gateway Requirements:
Network Diagram:
ASA SSL VPN using RADIUSChoose this option for ASA and AnyConnect deployments that do not meet the minimum product version requirements for SAML SSO. With this configuration, end users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client or clientless SSL VPN via browser. Users may append a different factor selection to their password entry. This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client, and supports configurable fail mode if the Authentication Proxy server cannot contact Duo's service. Read the deployment instructions for ASA with RADIUS Requirements:
Network Diagram:
ASA SSL VPN using LDAPSWhen using this option with the clientless SSL VPN, end users experience the interactive Duo Prompt in the browser. The AnyConnect client does not show the Duo Prompt, and instead adds a second password field to the regular AnyConnect login screen where the user enters the word “push” for Duo Push, the word “phone” for a phone call, or a one-time passcode. This configuration does not support IP-based network policies or device health requirements when using the AnyConnect client, and will always fail authentication if the ASA cannot contact Duo's service. Read the deployment instructions for ASA with LDAPS Requirements:
Network Diagram:
Cisco Firepower with AnyConnectFTD VPN using Duo Single Sign-OnChoose this option for the best end-user experience for FTD with a cloud-hosted identity provider. With this SAML configuration, end users experience the interactive Duo Universal Prompt when using the Cisco AnyConnect Client for VPN. The interactive MFA prompt gives users the ability to view all available authentication device options and select which one to use, self-enroll new or replacement 2FA devices, and manage their own registered devices. Duo WebAuthn authenticators like Touch ID and security keys supported in recent Firepower and AnyConnect software releases. This configuration also lets administrators gain insight about the devices connecting to the VPN and apply Duo policies such as device health requirements or access policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. Primary authentication and Duo MFA occur at the identity provider, not at the FTD itself. Read the deployment instructions for FTD with Duo Single Sign-On Requirements:
Network Diagram:
FTD VPN using RADIUSChoose this option for Cisco Firepower Threat Defense (FTD) Remote Access VPN. With this configuration, end users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client or clientless SSL VPN via browser. Users may append a different factor selection to their password entry. This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. Read the deployment instructions for Firepower with RADIUS Requirements:
Network Diagram:
Cisco Identity Services Engine with AnyConnectISE with RADIUSChoose this option for Cisco Identity Services Engine. With this configuration, end users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the AnyConnect Client. Users may append a different factor selection to their password entry. This configuration supports Duo policies for different networks (authorized networks, anonymous networks, or geographical locations as determined by IP address) when using the AnyConnect client. Read the deployment instructions for ISE Requirements:
Network Diagram:
|